Edited by Hugogomezm, 04 June 2006 - 08:07 PM.
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Malaware: HT log included
Started by
Hugogomezm
, Jun 04 2006 07:51 PM
4 replies to this topic
#1
Hugogomezm
-
- New Member
-
- 2 posts
New Member
Posted 04 June 2006 - 07:51 PM
Register to Remove
#2
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 04 June 2006 - 09:27 PM
Welcome to the forum 
Your computer has been hijacked by people in the Ukraine. What you have is a "Wareout" infection.
Please download FixWareout from one of these links:
Fixwareout.exe
Fixwareout.exe
CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!
* Save it to your desktop and run it.
* Click Next, then Install, make sure "Run fixit" is checked and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.
* Once the desktop loads a text will open (report.txt). We'll need that in a bit.
Please make a PERMANANT folder for Hijack This!
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. MOVE (drag-and-drop) HijackThis into this folder.
If required a tutorial is here = Hijackthis Folder Tutorial
CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!
Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):
(Note: Fixwareout.exe may have removed some of these)
R3 - URLSearchHook: (no name) - {1B99D6CD-4A09-4E1E-2486-2FC3D0B252F7} - backorif.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Kargo] ExchangeMaster.exe
O4 - HKLM\..\Run: [ftbar] sysconf16.exe
O4 - HKLM\..\Run: [dmbtu.exe] C:\WINDOWS\system32\dmbtu.exe
O4 - HKCU\..\Run: [321102] WTFCTF.exe
O4 - HKCU\..\Run: [LOPTCON] Bogobot.exe
O4 - HKCU\..\Run: [___] ExchangeMaster.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B446E04-ADEF-46E6-9AA3-2E664127D327}: NameServer = 85.255.116.110 85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B0B0A7-521F-423E-BDD2-5A17A07821D9}: NameServer = 85.255.116.110,85.255.112.202
Then click "Fix checked" and close Hijack This!.
Reboot in "safe" mode.
Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:
bogobot.exe <--- file
c:\windows\system32\dmbtu.exe <--- file
exchangemaster.exe <--- file
sysconf16.exe <--- file
wtfctf.exe <--- file
Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).
Reboot in normal mode and "copy/paste" a new log file into this thread.
Also open this file with Notepad:
C:\fixwareout\report.txt
And paste it's contents into your next post.
P.S.
This program:
O4 - HKCU\..\Run: [UnSpyPC] "C:\Archivos de programa\UnSpyPC\UnSpyPC.exe"
Has a "shady" reputation:
UnSpyPC
See if it is in "Add/Remove Programs". If so, I'd suggest removing it, then reboot.
If it's not in there, let me know and we'll remove it via other methods.
Your computer has been hijacked by people in the Ukraine. What you have is a "Wareout" infection.
85.255.112.0 - 85.255.127.255
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
Please download FixWareout from one of these links:
Fixwareout.exe
Fixwareout.exe
CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!
* Save it to your desktop and run it.
* Click Next, then Install, make sure "Run fixit" is checked and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.
* Once the desktop loads a text will open (report.txt). We'll need that in a bit.
Please make a PERMANANT folder for Hijack This!
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. MOVE (drag-and-drop) HijackThis into this folder.
If required a tutorial is here = Hijackthis Folder Tutorial
CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!
Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):
(Note: Fixwareout.exe may have removed some of these)
R3 - URLSearchHook: (no name) - {1B99D6CD-4A09-4E1E-2486-2FC3D0B252F7} - backorif.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Kargo] ExchangeMaster.exe
O4 - HKLM\..\Run: [ftbar] sysconf16.exe
O4 - HKLM\..\Run: [dmbtu.exe] C:\WINDOWS\system32\dmbtu.exe
O4 - HKCU\..\Run: [321102] WTFCTF.exe
O4 - HKCU\..\Run: [LOPTCON] Bogobot.exe
O4 - HKCU\..\Run: [___] ExchangeMaster.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B446E04-ADEF-46E6-9AA3-2E664127D327}: NameServer = 85.255.116.110 85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B0B0A7-521F-423E-BDD2-5A17A07821D9}: NameServer = 85.255.116.110,85.255.112.202
Then click "Fix checked" and close Hijack This!.
Reboot in "safe" mode.
Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:
bogobot.exe <--- file
c:\windows\system32\dmbtu.exe <--- file
exchangemaster.exe <--- file
sysconf16.exe <--- file
wtfctf.exe <--- file
Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).
Reboot in normal mode and "copy/paste" a new log file into this thread.
Also open this file with Notepad:
C:\fixwareout\report.txt
And paste it's contents into your next post.
P.S.
This program:
O4 - HKCU\..\Run: [UnSpyPC] "C:\Archivos de programa\UnSpyPC\UnSpyPC.exe"
Has a "shady" reputation:
UnSpyPC
See if it is in "Add/Remove Programs". If so, I'd suggest removing it, then reboot.
If it's not in there, let me know and we'll remove it via other methods.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#3
Hugogomezm
-
- New Member
-
- 2 posts
New Member
Posted 05 June 2006 - 04:28 PM
Hi, thanks for your very quick reply and procedure. I did everything but was not able to remove UnSpyPC from the add/remove programs window.
Here is the HJT log and the fixwareout log:
Logfile of HijackThis v1.99.1
Scan saved at 05:17:05 p.m., on 05/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Ares Lite Edition\AresLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Admin\CONFIG~1\Temp\Directorio temporal 1 para hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Archivos de programa\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\uyymd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...
Random Runs removed from HKLM
"dmyyu.exe"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMYYU.EXE
»»»»» Misc files
* thequicklink C:\WINDOWS\System32\OWARW.DLL
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMYYU.EXE 44,032 2004-08-19
#4
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 05 June 2006 - 04:42 PM
UnSpyPC doesn't appear in the log any longer.
Please go here:
Jotti Online File Scanner
And submit this file for a virus scan:
C:\WINDOWS\SYSTEM32\DMYYU.EXE
Let me know the results.
The log looks pretty good now.
How are things running?
Post Infection Items To Ponder
Please go here:
Jotti Online File Scanner
And submit this file for a virus scan:
C:\WINDOWS\SYSTEM32\DMYYU.EXE
Let me know the results.
The log looks pretty good now.
How are things running?
Post Infection Items To Ponder
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#5
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 13 June 2006 - 07:37 PM
This topic is now closed.
If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.
If this is not your thread please start a New Topic.
If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.
If this is not your thread please start a New Topic.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
