Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help With Hijack Logfile. Thanks!


  • Please log in to reply
27 replies to this topic

#16 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 10 June 2007 - 09:49 AM

Looking improved there. Still those unknown files that you were not able to remove with problems with Avenger. Let's clean more and take a better look at those now. Remember to keep SpySweeper disabled, to keep it from interfering with repairs.


Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O4 - HKLM\..\Run: [Windows Update Services] C:\RECYCLER\winupdate32.exe


Then download FixWareout from here

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet).

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.

Once your desktop loads, please post the contents of the logfile C:\fixwareout\report.txt along with a new HijackThis log.

NB - You must must be online to run this utility


-------------------------------------------


Next download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of suspect files into the Suspicious File Packer window:

C:\MIQNB.bat
C:\FMDHI.bat
C:\joe.exe
C:\abca.exe
C:\areara.exe



Allow SFP to pack the files. This will generate a CAB archive on your desktop.

Then Just go here and follow the instructions to upload the CAB file.

You DO NOT need to be a member to upload, anybody can upload the files.



If you have troubles accessing the net after running FixWareout, go to Start -> Control Panel, and choose Network Connections. Rightclick on your default connection (usually Local Area Connection or Dial-up Connection if you are using Dial-up) and leftclick on Properties. Doubleclick on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically or enter the addy's required by your ISP (they should be posted on their site) . Click OK twice, and restart the computer.

    Advertisements

Register to Remove


#17 jimmya

jimmya

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 10 June 2007 - 03:46 PM

ok here are the 2 logs as you asked ,and the other files were uploaded to that website , if you want a link i saved the page.

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="\"C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe\""
"DMXLauncher"="\"C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe\""
"ISUSPM Startup"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"CTHelper"="CTHELPER.EXE"
"HostManager"="\"C:\\Program Files\\Common Files\\AOL\\1161812728\\ee\\AOLSoftware.exe\""
"AOLDialer"="\"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe\""
"Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"SetDefaultMIDI"="MIDIDef.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="~\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0\\AOL.EXE\" -b"
"X-Cleaner Deluxe"="\"C:\\PROGRA~1\\X-CLEA~1\\XCleaner_full.exe\" -turbo -autostart -NOREBOOT"
"SweetIM"="\"C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»




Logfile of HijackThis v1.99.1
Scan saved at 5:43:40 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\AOL\1161812728\ee\AOLSoftware.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\common files\aol\1161812728\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1161812728\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\1161812728\ee\aolsoftware.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\DOCUME~1\JIMMYA~1\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scottrade.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1161812728\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SweetIM] "C:\Program Files\Macrogaming\SweetIM\SweetIM.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.66.155.171....638189OneCC.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

#18 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 10 June 2007 - 07:41 PM

I don't seem to locate that file upload - yes, post the link if you would.

#19 jimmya

jimmya

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 10 June 2007 - 09:37 PM

did it again here it is. http://security-cent...18696#post18696 by the way just wondering what that actually is . thank you again! :wavey:

#20 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 11 June 2007 - 03:09 PM

I received those files - thanks. They are part of an active "Bot" infection there which we will need to fully locate and remove. Before we can do that let's get a look at all the files in your C folder. Try not to reboot or do too much activity after posting the next results, in order to keep the infection from adding new files.

Go to Start - Run, type notepad (and Enter). In the open text box copy/paste all the text hilighted below:

cd\
dir /O:S > c:\show.txt & start notepad c:\show.txt


Then go to File - Save as..., and save the file to your desktop as "Lookc.bat" (be sure to include the quotes "" in the name). Then click on lookc.bat to run the file check. Once that completes a text box will open - copy/paste those contents back here please.


Also run and post back a new ComboFix scan.

#21 jimmya

jimmya

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 17 June 2007 - 07:34 PM

hi sorry about the delay i have had a death in the family and havent been on the computer . here are the 2 logs you asked for maybe these will help to get rid of the problems .


Volume in drive C has no label.
Volume Serial Number is 9885-3D74

Directory of C:\

06/17/2007 09:28 PM <DIR> WINDOWS
06/17/2007 08:16 PM <DIR> Program Files
06/01/2007 11:00 AM <DIR> KAV
06/01/2007 07:14 PM <DIR> Temp
11/11/2006 01:58 PM <DIR> i386
06/17/2007 09:32 PM 0 show.txt
06/10/2007 05:18 PM <DIR> fixwareout
05/26/2007 12:06 AM <DIR> SDFix
10/20/2006 08:02 PM <DIR> drvrtmp
07/24/2006 01:03 PM <DIR> drivers
06/05/2007 11:56 PM <DIR> Documents and Settings
11/11/2006 01:58 PM <DIR> dell
08/16/2005 05:43 AM 0 AUTOEXEC.BAT
06/05/2007 11:51 PM <DIR> Avenger
11/16/2006 04:00 AM <DIR> d17d964adc523f90e95d
08/16/2005 05:43 AM 0 CONFIG.SYS
06/17/2007 09:25 PM <DIR> ComboFix
06/01/2007 07:14 PM <DIR> QooBox
06/02/2007 12:46 PM 82 MIQNB.bat
05/27/2007 10:21 AM 86 PDFIH.bat
05/27/2007 10:21 AM 86 QOCLH.bat
05/27/2007 10:21 AM 86 CNBEG.bat
05/27/2007 10:21 AM 86 FMDHI.bat
05/27/2007 10:21 AM 86 SCMGC.bat
05/27/2007 10:21 AM 86 KCRLS.bat
05/27/2007 10:21 AM 86 HJPEE.bat
06/06/2007 10:09 AM 164 install.dat
11/14/2006 04:18 PM 168 setupfax.log
06/05/2007 11:56 PM 398 avenger.txt
06/17/2007 09:24 PM 530 ComboFix-quarantined-files.txt
10/27/2006 08:32 AM 1,039 aolconnfix.txt
06/09/2007 12:26 PM 1,876 rapport.txt
10/25/2006 05:16 PM 4,128 INFCACHE.1
06/10/2007 05:08 PM 5,059 dnsbak.reg
06/05/2007 03:08 PM 10,847 ComboFix3.txt
10/27/2006 08:32 AM 10,920 aolconnfix.exe
06/17/2007 09:25 PM 12,110 ComboFix.txt
06/09/2007 12:15 PM 12,296 ComboFix2.txt
05/27/2007 01:51 PM 28,672 aabababab.exe
05/27/2007 01:32 PM 28,672 ararar.exe
06/02/2007 12:44 PM 28,672 ababa.exe
06/01/2007 06:04 PM 28,672 eaea.exe
05/27/2007 01:31 PM 28,672 aabababa.exe
05/27/2007 01:54 PM 28,672 joe.exe
05/27/2007 04:20 PM 28,672 joae.exe
05/27/2007 01:45 PM 28,672 getme.exe
05/27/2007 06:24 AM 28,672 aaaab.exe
05/27/2007 10:21 AM 49,664 areara.exe
05/27/2007 06:24 AM 49,664 update.exe
05/27/2007 11:08 AM 49,664 abababa.exe
05/27/2007 06:09 AM 49,664 ababab.exe
05/27/2007 06:57 AM 49,664 kakakak.exe
05/27/2007 08:09 AM 49,664 aakrkak.exe
06/01/2007 12:24 AM 51,712 abca.exe
06/17/2007 09:29 PM 58,447 VETlog.dmp
10/31/2005 11:56 AM 700,416 StubInstaller.exe
06/17/2007 09:29 PM 745,597 VETlog.txt
42 File(s) 2,172,423 bytes
15 Dir(s) 194,375,938,048 bytes free




"Jimmy A " - 2007-06-17 21:22:58 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Jimmy A \Desktop\ANTI SPYWARE PROGRAMS\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 ))))))))))))))))))))))))))))))))))


2007-06-17 20:16 <DIR> d-------- C:\Program Files\Folder Icon Changer
2007-06-10 17:08 5,059 --a------ C:\dnsbak.reg
2007-06-09 12:25 3,364 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-09 12:24 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-09 12:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-09 12:24 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-09 11:22 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-06 14:45 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-06-06 14:45 21,568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-06-06 14:45 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-06-06 14:45 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-06-06 14:45 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-06-06 14:45 128,064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-06-06 14:45 <DIR> d-------- C:\Program Files\Webroot
2007-06-06 14:45 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-06-06 14:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-06 14:41 <DIR> d-------- C:\DOCUME~1\JIMMYA~1\APPLIC~1\Webroot
2007-06-06 12:10 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-06 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-06 10:20 <DIR> d-------- C:\WINDOWS\pss
2007-06-05 23:51 <DIR> d-------- C:\Avenger
2007-06-04 11:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-02 12:46 82 --a------ C:\MIQNB.bat
2007-06-02 12:44 28,672 --a------ C:\ababa.exe
2007-06-01 19:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 11:01 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-06-01 11:01 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-06-01 11:01 240,416 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-06-01 11:01 12,011,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-01 11:01 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-06-01 11:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-01 09:46 <DIR> d-------- C:\WINDOWS\Sysbckup
2007-06-01 09:39 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2007-06-01 00:19 <DIR> d-------- C:\Program Files\RegCure
2007-05-31 15:00 28,672 --a------ C:\eaea.exe
2007-05-29 22:36 <DIR> d-------- C:\DOCUME~1\JIMMYA~1\APPLIC~1\Sony Setup
2007-05-27 14:09 28,672 --a------ C:\joae.exe
2007-05-27 13:53 28,672 --a------ C:\joe.exe
2007-05-27 13:51 28,672 --a------ C:\aabababab.exe
2007-05-27 13:36 28,672 --a------ C:\getme.exe
2007-05-27 13:33 51,712 --a------ C:\abca.exe
2007-05-27 13:28 28,672 --a------ C:\ararar.exe
2007-05-27 13:24 28,672 --a------ C:\aabababa.exe
2007-05-27 10:21 86 --a------ C:\SCMGC.bat
2007-05-27 10:21 86 --a------ C:\QOCLH.bat
2007-05-27 10:21 86 --a------ C:\PDFIH.bat
2007-05-27 10:21 86 --a------ C:\KCRLS.bat
2007-05-27 10:21 86 --a------ C:\HJPEE.bat
2007-05-27 10:21 86 --a------ C:\FMDHI.bat
2007-05-27 10:21 86 --a------ C:\CNBEG.bat
2007-05-27 10:19 49,664 --a------ C:\areara.exe
2007-05-27 10:01 49,664 --a------ C:\abababa.exe
2007-05-27 07:06 49,664 --a------ C:\aakrkak.exe
2007-05-27 06:57 49,664 --a------ C:\kakakak.exe
2007-05-27 06:24 49,664 --a------ C:\update.exe
2007-05-27 06:24 28,672 --a------ C:\aaaab.exe
2007-05-27 06:09 49,664 --a------ C:\ababab.exe
2007-05-26 14:42 <DIR> d-------- C:\DOCUME~1\JIMMYA~1\APPLIC~1\SlySoft
2007-05-26 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-05-26 14:37 <DIR> d-------- C:\Program Files\SlySoft
2007-05-26 12:27 <DIR> d-------- C:\Program Files\Azureus
2007-05-26 12:27 <DIR> d-------- C:\DOCUME~1\JIMMYA~1\APPLIC~1\Azureus
2007-05-26 12:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-05-26 12:22 <DIR> d-------- C:\Program Files\Mythusoft
2007-05-22 14:27 <DIR> d-------- C:\Program Files\STOPzilla!
2007-05-22 14:27 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-05-22 14:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZILLAbar
2007-05-22 14:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-05-22 11:07 <DIR> d-------- C:\Program Files\McAfee
2007-05-22 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-05-22 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-20 13:26 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-20 13:22 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-20 13:18 <DIR> d-------- C:\KAV
2007-05-19 16:58 164 --a------ C:\install.dat
2007-05-19 16:57 <DIR> d-------- C:\DOCUME~1\JIMMYA~1\APPLIC~1\GetRightToGo
2007-05-18 18:46 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-18 18:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-18 18:19 <DIR> d-------- C:\DOCUME~1\JIMMYA~1\APPLIC~1\Simply Super Software
2007-05-18 11:17 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2007-05-18 11:14 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-05-18 11:14 <DIR> d-------- C:\Program Files\SpeedItUpFree
2007-05-18 09:56 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-18 09:53 <DIR> d-------- C:\DOCUME~1\JIMMYA~1\APPLIC~1\Help
2007-05-18 03:27 <DIR> d-------- C:\WINDOWS\system32\PAV


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-01 22:40:35 -------- d-----w C:\Program Files\America Online 9.0
2007-05-31 06:54:09 -------- d-----w C:\Program Files\Image-Line
2007-05-30 21:09:07 -------- d-----w C:\Program Files\Sony
2007-05-30 02:34:50 -------- d-----w C:\Program Files\Sony Setup
2007-05-25 13:47:37 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-22 18:32:17 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-18 15:10:01 -------- d-----w C:\Program Files\BAE
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 05:18:38 -------- d-----w C:\Program Files\X-Cleaner
2007-04-27 06:06:41 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-04-25 21:02:48 -------- d-----w C:\DOCUME~1\JIMMYA~1\APPLIC~1\acccore
2007-04-25 21:01:42 -------- d-----w C:\DOCUME~1\JIMMYA~1\APPLIC~1\AOL
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll
2007-03-28 19:33:08 152,469 ----a-w C:\WINDOWS\Wave@MP3 Uninstaller.exe
2007-03-19 17:57:46 98,304 ----a-w C:\WINDOWS\system32\CddbLangNL.dll
2007-03-19 17:57:46 98,304 ----a-w C:\WINDOWS\system32\CddbLangFR.dll
2007-03-19 17:57:46 98,304 ----a-w C:\WINDOWS\system32\CddbLangES.dll
2007-03-19 17:57:46 98,304 ----a-w C:\WINDOWS\system32\CddbLangDE.dll
2007-03-19 17:57:46 102,400 ----a-w C:\WINDOWS\system32\CddbLangIT.dll
2007-03-19 17:57:44 77,824 ----a-w C:\WINDOWS\system32\CddbLangJA.dll
2007-03-19 17:57:44 765,952 ----a-w C:\WINDOWS\system32\CDDBUI.dll
2007-03-19 17:57:44 655,360 ----a-w C:\WINDOWS\system32\CDDBControl.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" []
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"CTHelper"="CTHELPER.EXE" []
"HostManager"="C:\Program Files\Common Files\AOL\1161812728\ee\AOLSoftware.exe" [2006-09-25 20:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 14:25]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-25 18:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 22:29]
"SetDefaultMIDI"="MIDIDef.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-25 22:30]
"X-Cleaner Deluxe"="C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" [2007-04-16 14:18]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jimmy A ^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=C:\Documents and Settings\Jimmy A Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=C:\WINDOWS\pss\AOL OpenRide.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-13 12:24:05 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-17 06:20:25 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-17 21:00:05 C:\WINDOWS\tasks\RegCure Program Check.job
2007-06-14 07:17:31 C:\WINDOWS\tasks\RegCure.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 21:24:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-17 21:25:10
C:\ComboFix-quarantined-files.txt ... 2007-06-17 21:24
C:\ComboFix2.txt ... 2007-06-09 12:15
C:\ComboFix3.txt ... 2007-06-05 15:08

--- E O F ---

#22 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 17 June 2007 - 07:34 PM

A good few days have passed without a response jimmya. Do you still plan to continue the repair process here?

#23 jimmya

jimmya

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 17 June 2007 - 07:36 PM

what a coincidence we wrote each other within a minute ,lol. yes i do i posted the 2 logs you requested in the previous message.

#24 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 18 June 2007 - 06:35 PM

Let's see about removing those stubborn files now. Remember to temporarily disable protective software like Windows Defender before doing the next steps.



Download Brute Force Uninstaller http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU).

Then download the jimmy.zip attachment below, and unzip it to that same C:\BFU folder - this is important for the fix to work.

Start the Brute Force Uninstaller by double clicking BFU.exe

In the scriptline to execute copy and paste the following:

c:\bfu\jimmy.bfu

Press execute and let it do its job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.


Then reboot. After the reboot run a new ComboFix scan, and post that log back here please.

Attached Files



#25 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 25 June 2007 - 09:35 AM

Doesn't look like you have downloaded the fix yet jimmya. Are you still continuing with this repair request? If not the thread will need to be closed.

Edited by Jintan, 25 June 2007 - 09:35 AM.

    Advertisements

Register to Remove


#26 jimmya

jimmya

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 26 June 2007 - 10:39 AM

no i just cant download the jimmya zip file i recieve an error message saying im not authorized.

#27 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 26 June 2007 - 05:57 PM

At the top of the Tom Coyote forum page you can click on the "register" link to register here, which should allow you access to download attachments when completed.

#28 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 04 July 2007 - 08:33 AM

Quite a bit of time has passed again Jimmya - are we still going forward with the repairs here?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users