16 replies to this topic

[terminator]

If it wasn't for the fact this virus severely and so cunningly crippled my PC I would have thought this to be a pretty "neat trick" virus/malware/spyware/

AT THIS POINT I DON"T EVEN KNOW WHERE TO BEGIN...

I WILL BE CONSTANTLY UPDATING THIS THREAD SO STAY TUNED>

================================================


Logfile of HijackThis v1.99.1
Scan saved at 5:52:48 PM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Weiming\LOCALS~1\Temp\kk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Weiming\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=10271
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O1 - Hosts: 127.0.0.2 localhost
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {09EB15FA-17D8-4D60-8598-3F549A848DF2} - C:\PROGRA~1\INTERN~1\PLUGINS\b54321.bho
O2 - BHO: (no name) - {16FF142F-BEBD-47CE-A3A6-D52A1A2ECB54} - C:\Program Files\Internet Explorer\Vv54321t.321
O2 - BHO: (no name) - {3B0087DA-90E3-446D-8C7A-6E61D226D87A} - C:\Program Files\Internet Explorer\VteNt64.987
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {AD862DC6-37FA-4D56-B7EA-59C2522A5FC4} - C:\Program Files\Internet Explorer\Explo2eMt.456
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [HBService32] System.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: ?? - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ??(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2.dll,HBXY
3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll,HBASKTAO
.
dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI
.
dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll,HBHM.dll
,
HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dll,HBRXJH
.
dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dll,HBR2.d
l
l,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,HBJTLQ.dl
l
,HBQJSJ.dll
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: ML-2010 Status Monitor Service (SM_ml1600_FUService) - Unknown owner - C:\Program.exe (file missing)

================================================================================
==

Malwarebytes' Anti-Malware 1.30
Database version: 1347
Windows 5.1.2600 Service Pack 2

10/31/2008 4:49:29 PM
mbam-log-2008-10-31 (16-49-27).txt

Scan type: Quick Scan
Objects scanned: 62305
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 22
Registry Keys Infected: 135
Registry Values Infected: 16
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\3474A8C2.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\4D023DE9.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\D7C79813.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\DA63E650.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\122B901E.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\12B02216.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\8566F82E.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\08223B03.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\43ACDCC5.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\4BF9CBA3.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\58FF3024.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\4F34C688.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\9CA963CA.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\DE02F764.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\B3721C07.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBQQXX.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBWOW.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBDNF.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBTL.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBWD.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBJTLQ.dll (Spyware.OnlineGames) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{08223b03-1b38-4a33-a83a-a4d3cc1d6e4e} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3474a8c2-bef9-46c8-983a-a26a0030ec30} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{4d023de9-f4b5-4be0-99c6-7c7ad0cf5426} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d7c79813-9233-4ae0-832c-99b2e8019673} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{da63e650-537c-4042-87bb-9d19d844680b} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{122b901e-493f-4ad9-bc69-7de8c3e52fcc} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{12b02216-ac3f-42a7-8313-449771237061} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8566f82e-03a4-416e-aeac-66600d8881f1} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{43acdcc5-9009-4af4-b80a-93bc656ef298} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{4bf9cba3-8dee-41a1-8bdb-fc28d30e949f} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{58ff3024-8a83-4b1a-88e9-302f47646eee} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{4f34c688-fd49-42fc-97f7-87d2f5791612} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9ca963ca-107c-4089-b0ab-31380f90d7e3} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{de02f764-c51a-4788-9597-d78ecc2ac08f} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b3721c07-62b3-411a-9dc7-f5f27e3e21ff} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\5102a80 (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\5102a80 (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hbkernel32 (SPyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel32 (SPyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel32 (SPyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp (Security.Hijack) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{08223b03-1b38-4a33-a83a-a4d3cc1d6e4e} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3474a8c2-bef9-46c8-983a-a26a0030ec30} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4d023de9-f4b5-4be0-99c6-7c7ad0cf5426} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d7c79813-9233-4ae0-832c-99b2e8019673} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{da63e650-537c-4042-87bb-9d19d844680b} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{122b901e-493f-4ad9-bc69-7de8c3e52fcc} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{12b02216-ac3f-42a7-8313-449771237061} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{8566f82e-03a4-416e-aeac-66600d8881f1} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{43acdcc5-9009-4af4-b80a-93bc656ef298} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4bf9cba3-8dee-41a1-8bdb-fc28d30e949f} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{58ff3024-8a83-4b1a-88e9-302f47646eee} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4f34c688-fd49-42fc-97f7-87d2f5791612} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9ca963ca-107c-4089-b0ab-31380f90d7e3} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{de02f764-c51a-4788-9597-d78ecc2ac08f} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b3721c07-62b3-411a-9dc7-f5f27e3e21ff} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HBService32 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.6700.cn?tn=10271) Good: (http://www.google.com/) -> No action taken.

Folders Infected:
C:\Program Files\Common Files\PushWare (Adware.CPush) -> No action taken.

Files Infected:
C:\WINDOWS\system32\08223B03.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\3474A8C2.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\4D023DE9.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\D7C79813.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\DA63E650.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\122B901E.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\12B02216.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\8566F82E.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\43ACDCC5.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\4BF9CBA3.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\58FF3024.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\4F34C688.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\9CA963CA.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\DE02F764.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\B3721C07.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\winhlp32.exe (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\mwiszcyys32_081027.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\5102a80.sys (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\drivers\HBKernel32.sys (SPyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\1SVVFH04\new2[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\1SVVFH04\new3[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\1SVVFH04\new4[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\1SVVFH04\new5[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\NJ56QIBV\new14[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\NJ56QIBV\new6[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\NJ56QIBV\new7[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\O9IRWTQ7\wxpSetup202[1].txt (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temporary Internet Files\Content.IE5\PGHSPVA6\new1[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Program Files\Common Files\PushWare\cpush.dll (Adware.CPush) -> No action taken.
C:\Program Files\Common Files\PushWare\Uninst.exe (Adware.CPush) -> No action taken.
C:\WINDOWS\system32\inf\scrsyszy081027.scr (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBQQXX.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBWOW.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBDNF.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBTL.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBWD.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\HBJTLQ.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\d3d1caps.SRG (Stolen.Data) -> No action taken.
C:\WINDOWS\system32\lwizyy16_081027.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\inf\scrszyys16_081027.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system\zayjhxpRes081027.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mprmsgse.axz (Adware.Cinmus) -> No action taken.
C:\Documents and Settings\Weiming\Local Settings\Temp\Gameeeeeee.vbs (Trojan.Agent) -> No action taken.
=======================================


Malwarebytes' Anti-Malware 1.30
Database version: 1347
Windows 5.1.2600 Service Pack 2

10/31/2008 5:04:27 PM
mbam-log-2008-10-31 (17-04-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 92775
Time elapsed: 12 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hbkernel32 (SPyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel32 (SPyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel32 (SPyware.OnlineGames) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HBService32 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\00002B84\62015 (Spyware.OnlineGames) -> No action taken.
C:\00002CEC\81781 (Spyware.OnlineGames) -> No action taken.
C:\00002F6C\70515 (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\drivers\HBKernel32.sys (SPyware.OnlineGames) -> No action taken.
C:\0007877D\515984 (Spyware.OnlineGames) -> No action taken.


===========================================

[terminator]

[terminator]

This virus will NOT allow me to even open "CMD" (it closed out after a second)

This virus will NOT allow me to even start services.msc, or device manager... (won't open, says another app is currently using it)

This virus will FORCEABLY and INSTANTLY REBOOT my PC when it detected I am trying to do something or get somewhere to remove it!!!

This virus will ALWAYS REVERT the windows explorer folders options to HIDE hidden files, to not show system files, etc.... !!! Even right after I changed it back!

This virus will NOT allow me to boot successfully into the SAFE MODE with command prompt, it reverts to Normal Safemode with the GUI, and even in this mode I am not able to open CMD, it closed out after a second also.

This virus will reboot whenever I attempt to erase temporary history files in IE. This virus reboots whenever I even TRY to click on Firefox to start Firefox!

This virus will reboot when I try to manually navigate to %temp% or elsewhere to attempt to clear out system temporary files

This virus will NOT allow fileassassin to erase/destroy its many many suspicious .dll files in windows\system32\ folder...

[terminator]

At this point I am thinking about doing a full low level reformat and reinstalling windows XP...

But I posted this because this new virus makes the antivirus 2008 look like a walk in the freaking park....

I have always been able to easily get rid of malware of any kind, but not this one! I did full scan with updated
(just hours ago) version of malwarebytes it says it found a couple hundred objects, I removed it all, rebooted
and it was just as bad. The screenshots you see are AFTER I did the scanning!


NOTE: at first for the longest time I thought I had a CPU overheat issue, or RAM issue or something like that.
I did a harddrive check, scandisk, ran coretemp, mem check tools, etc...

This virus LITERALLY shutdowns the system in the blink of an eye, much faster than say "shutdown -r -f -t 00" I don't
know how they do this on the software level, which is why I thought the shutdown was due to hardware failure, but
I tested a linux livecd boot straight to ram and ran for HOURS on the same machine no problems! THis is defintely a
software/OS/virus issue!


Please anyone know about this? Can you people at malwarebytes look into this?

[terminator]

Iam going to try download BartPE to see if I can go into NTFS to remove this crap. I'll give yall an update on how that goes.
I still like to avoid reformatting unless I need too...

[Jaxryley]

How to kill it, dunno as yet?

KK.EXE has been seen to perform the following behavior:

* The Process is packed and/or encrypted using a software packing process
* The Process is polymorphic and can change its structure
* This Process Creates Other Processes On Disk
* This Process Deletes Other Processes From Disk
* Writes to another Process's Virtual Memory (Process Hijacking)
* Loads and Executes a System Driver File
* Registers a Dynamic Link Library File
* Executes a Process
* Adds a Registry Key (RUN) to auto start Programs on system start up
* Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
* The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents

[nosirrah]

Looks like we got a pile of that but not all .

Do what you cant to collect a few of the ones we missed and then zip and submit them here :

http://uploads.malwarebytes.org/

[terminator]

nosirrah, on Nov 1 2008, 12:50 AM, said:

Looks like we got a pile of that but not all .

Do what you cant to collect a few of the ones we missed and then zip and submit them here :

http://uploads.malwarebytes.org/

HAHA... the virus is VERY GOOD. Okay so far only able to upload PART ONE of the thing

will update hopefully with ALL parts soon ;-)


Good thing I didn't reformat PC yet!

http://rapidshare.com/files/159487569/Dead...spart1.rar.html

[Raid]

Hi All.

I am working on this sample, please bear with me as I write the necessary definitions.

Update 1 12:55am, Processed initial samples. Found one trojan responsible for causing system shutdowns. With any luck, it doesn't have mutated friends lurking. The samples sent are all primarily Spyware.OnLineGames variants. So, if you play World of Warcraft, or other online games, I'd strong recommend changing your account details; as they have more than likely been compromised at this point.

[Raid]

Hi All.

I am working on this sample, please bear with me as I write the necessary definitions.

Update 1 12:55am:

Processed initial samples. Found one trojan responsible for causing system shutdowns. With any luck, it doesn't have mutated friends lurking. The samples sent are all primarily Spyware.OnLineGames variants. So, if you play World of Warcraft, or other online games, I'd strong recommend changing your account details; as they have more than likely been compromised at this point.

Update 2 1:12am:

Completed most of the sample fallout/testing

The next definitions update should clear up most if not all of this infection for you. At the very least, it should allow us to try and get you cleaned up.

Please update MBAM and scan your PC again, allow it to remove what it finds, and reboot. Scan once more, and provide that logfile.

thanks!

[Raid]

Update...

After doing a bit more testing, I've found that one of the samples you sent installs ALOT! of friends. All by itself. In a very short amount of time you can be in serious trouble.

I will have more definitions out to handle the other potentially harmful code you have been exposed too.

[nosirrah]

@Dustin , I went about this from a different angle and got some different def types to go with yours , I think together we might have this nuked .

@terminator , defs 1351 are what you would want to scan with once they are up , this will be this morning .

[terminator]

nosirrah, on Nov 1 2008, 02:13 PM, said:

@Dustin , I went about this from a different angle and got some different def types to go with yours , I think together we might have this nuked .

@terminator , defs 1351 are what you would want to scan with once they are up , this will be this morning .

Thanks all for the effort and the quick responses! Unfortunately I didn't get this message until this morning and I went ahead and reformatted the PC.
Otherwise I would most definitely loved to have tested and posted results to see if this worked or not. I uploaded some of the suspected virus files to virustotal and they didn't find anything! usually virustotal is very good about catching these kind of things, but I guess if the kk.exe or whatever mutates and changes according to its host system or whatever then it would be very hard to fight against it.

This actually got infected on my Mom's old gaming / online video watching PC as I hardly ever use this PC and myself I have never caught a virus/malware before because I stick with "clean sites" and good security protocol and have an intuition for these things when "things start to go wrong/ downhill"
She watches online video streams from Korean videos QVODPLAYER or something like that, the thing is the QVODPLAYER only works through Internet Explorer
and I'm not even sure its comp with IE8 and she had IE6 on the machine. (there isn't a plugin for firefox unfortunately) I'm not sure if this is what caused it but I suspect it could be so... she also visits some Asian websites that are kind of "fishy" and I would never visit these sites myself.. A week ago or so I noticed a Online Poker game installed on the desktop of her machine but thought nothing of it, but it is strange because I'm sure she is not playing poker and no one else uses the machine... so I don't know how it go on there or what caused it? Probably QVODPLAYER?? IDK

It's really not a hassle to reformat the PC because for a while I used to do that once a month anyway... But the reason I made this whole post is of course I have always found Malwarebytes to be the best at this kind of thing (all the others suck and IMHO Symantec Norton Antivirus is the world's greatest JOKE EVER) but this time whatever hit it went straight past it like it didn't even exists. I don't know if this indeed is a new upcoming virus or a new variant or variants or combination of previously known threats, malware or attacks or if it is a new rogue threat (and I don't have the time, energy or interest to research into this that deep) but if this thing is this annoying/effective and if it spreads quickly this could definitely make AntiVirus 2008 look like heaven....

I read you guys came up with a way to stop the force reboots, do I need to change my passwords? Do you think this virus could have captured keystrokes and/or screencaptures and send it in? I did notice the internet connection on that particular system to be EXTREMELY SLOW and its hardwired ethernetted into the router like my other systems and it was so much slower than any other PC a few days ago....

Also were you able to find out what caused the issue with me not able to OPEN CMD? (CMD closed out after 2 seconds of opening)
also why I could not start services.msc or any msc or device manager? (keeps saying this program/app already in use by some other program /app)

=================

BTW I was able to use BARTPE to finally remove all the suspicious .dll and .exe and whatever in the directories but after reboot the virus was still persistant.
I still could not access CMD or services.msc etc..... I thought I had removed it all? So I assumed the Windows Systems file had been corrupted but it
would not let me do a sfc /scannow to repair!!! every time I tried it it would REBOOT my system again!

Eventually I resorted to copying over the drivers and system files (explorer.exe, logonui.exe, etc etc etc) manually from disk to drive using BartPE but after I loading into Windows again by MOUSE AND KEYBOARD BOTH FROOZE!!!!

I don't understand why,, I didn't change the registry settings, didn't uninstall drivers, and only copied and overwrote generic Windows XP Operating system files from the same disk I installed it from... It would boot to the login screen and just freeze. The system boots okay but the mouse and keyboard go dead....
I'm not sure if this is still because of the virus, it was late last night and I got frustrated and went ahead and did a bit by bit low level reformat....

[terminator]

Sorry there isn't an EDIT option so I had to make a new post to add more info:


1. I have never seen a virus/program/app that could REBOOT the system so quickly! I think its less than 1 second between when it decides to reboot and the system actually reboots! In fact it reboots SO QUICKLY this is why I thought at first I had a hardware, PSU, HSF overheat, mofset overheat, ram integrity, etc issue! I didn't know software can reboot PC so quickly! Normal reboot on this pc takes 15 seconds or more, even "shutdown -r -f -t 0" takes at least 5 seconds??

2. This virus will revert the Folder Options/ View back to "Do not show hidden files and folders" and "Hide Protected Operating System files" each time I logoff/restart/reboot! Again not a big deal, but definitely had me fooled at the beginning because I ALWAYS choice to display ALL FILES, so that's why I didn't suspect a virus at first, everything looked clean when I did a quick visual scan of the Windows and Windows\system32 etc... I didn't know the virus had me fooled like THAT.

3. This sneaky little piece of crap will somehow disable the CMD both in normal mode, in SAFE mode too! I can start the CMD but after about 2 seconds (literally) it will close / terminate forcibly with no warning or errors.

4. This virus seems to have copy protection! It prevented me from even COPYING/PASTING the contents of its program completely to my flash drive! Let me explain, I would go into %temp% and there would be a whole crapload of the virus files but I could only copy about 50% of the files. When I scroll down towards the bottom and even before I click on some select virus files (even before I could do a Control-C or right click to COPY) the whole Windows Explorer folder will IMMEDIATELY terminate and it will Crash to Desktop and the kernel/explorer would have to reload....
This is THE first and ONLY time I have ever seen a virus attempt to prevent me from copying it to a different location to examine or upload or report it!!


5. This virus will NOT let me boot into SAFE MODE WITH COMMAND PROMPT. I can choice the option but the system will actually boot into the Normal Safe Mode with GUI. Of course, CMD will shutdown in this mode!!!

6. This virus is intelligent and will detect when I am trying to get rid of it. For one example, when I do a "sfc /scannow" after about 10 seconds it will immediately shutdown and reboot my system... When I click on Firefox it will reboot my system. When I try to clear out the internet explorer temporary files from within IE it will reboot my system... And sometimes it will reboot RANDOMLY as well, I don't know why... Is someone controlling my system from afar????

7. Over the past few days I have noticed my hardwired ethernet internet connection on this PC to have slowed down A FREAKING LOT!!! Is/was this virus uploading files on my computer to its servers or having some kind of persistent takeover connection , capturing keystrokes, capturing screenshots etc???

8. FileAssassin is completely ineffective against this virus. It could not remove one single .dll or .exe or .tmp or .sys or .cfg or .whatever in the windows or windows system32 folders that I detected to be a virus! Not even ONE!

9. Once this virus made its way onto my system it disabled my Windows Installer!
(among many other services...) and I could NOT go into services.msc to turn them back on! I could not even write a batch file script to
start the service using "net start ..." because the RPC or whatever service that is needed to start other services had been turned OFF!
Also Even though I COULD get into the MSCONFIG page, believe it or not the wierd thing is in services tab a whole lot of system
services where not even available to select! Basically it had turned off critical system services, and then removed them from the list
in msconfig so I could not opt to turn them back on!

10. Now that I think of it, I also noticed this virus would randomly FREEZE my computer as well..

11.

[terminator]

12. I forgot to mention, once my Windows Installer was disable (among other services) I could not install other antivirus software
to do a clean after noticing Malwarebytes was ineffective against this new threat. I even tried downloading OneCare from Microsoft
but it crashed with a cryptic error when attempting to download and install it from Microsoft...

13. My mom (this is her machine) was playing a MahJong Suite 2008 game when she first noticed the "problem"
I saw that MahJong game would CTD with a "memory violation error" ... at first I though the program was corrupt so
I did a FULL uninstall and FULL reinstall but every time she started the game it would play for a minute and crash
giving a memory violation hex error of some sort... She has played this game for YEARS (starting with 06 version) and
NEVER had any problems with this game! This is also why at first I thought the PC had a ram or hardware failure, because
soon after it coincideded with the random reboots!


14. Yesterday afternoon after I had finished the Malwarebytes both Short and FULL scan and I detected the virus was STILL
alive on my system I found out the views settings in windows explorer had been changed to prevent showing of hidden or
system files.. BTW I rebooted twice.. After I changed it back I saw initially a whole bunch of random hidden folders and random character
batch files , after 10-15 batch files .bat strategically located through the system... If I recall correctly some of the names
of the batch files sounded Asain or Oriental ... Of course at this stage I thought it was "just another virus" and that in 10 minutes
flat it would be history so sadly I didn't backup the .bat files and I only opened up two or three to take a quite look before I erased them for good.

If I remember correctly one of the batch files had a WHOLE BUNCH (A TON) like 100 different IP address that it would rotate or point to for one reason or another.... and in another batch file it had instructions that seemed to want to detect when the system had an internet connection or whatever and then do a certain task when it detected the connection... but I'm not sure...

15. I want to point out that ALL OF THIS, happened WITHIN a 72 hour period. From when I first noticed the problem to when I finally gave up and reformatted the PC was less than 3 days total... I also want to say that I always had Malwarebytes on this machine, always up to date, and I did a FULL SCAN just last week! and it was clean up until 3 days ago... So the fact that I had a crapload of about 300 -500 total virus objects on my system in a 72 hour period when it was previously pristine and clean means whatever hit it hit it VERY HARD and VERY FAST.

WHAT IS THE MOTIVATION for someone creating a virus like this? Unlike Antivirus 2008 it doesn't pretend to be good and fool naive suckers to purchase the program... Does this virus attempt to capture keystrokes and screenshots and harvester passwords and identity theft? If so even a full reformat isn't safe, I should change all my system, email, online passwords correct?

Thanks all. I will update if I remember more clues. Hopefully this virus is defeated fast because I'd hate to see other people have to suffer this crap.

[Raid]

[indent]Topic closed due to lack of response.

I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]