Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kus109.dat Et. Al.


  • This topic is locked This topic is locked
2 replies to this topic

#1 charliemac64

charliemac64

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 19 March 2008 - 11:03 PM

Hello, and thank you for hosting this forum.

I've been battling a bug for a while now on this laptop. I finally got rid of bolenjx/bolenja so I finally have control of my desktop back. I've been following along in other threads on how to eliminate most of the bad stuff, and think I've got there, except for these two bugs, but I'll let you be the judge of that.

In addition to HJT and SDFix, I have run numerous other programs as indicated in the threads dealing with what to do before posting here.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:16 PM, on 3/19/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:Program FilesLavasoftAd-Aware 2007aawservice.exe
C:PROGRA~1GrisoftAVG7avgamsvr.exe
C:PROGRA~1GrisoftAVG7avgupsvc.exe
C:PROGRA~1GrisoftAVG7avgemc.exe
C:WINNTsystem32svchost.exe
C:Program FilesLinksysWireless-G Notebook AdapterNICServ.exe
C:WINNTsystem32regsvc.exe
C:WINNTsystem32MSTask.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTsystem32svchost.exe
C:WINNTExplorer.EXE
C:Program FilesJavajre1.6.0_05binjusched.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:WINNTsystem32wuauclt.exe
C:Program FilesLinksysWireless-G Notebook AdapterGcc.exe
C:Program FilesLinksysWireless-G Notebook AdapterOdHost.exe
C:WINNTSystem32SCardSvr.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [BMd34c7c86] Rundll32.exe "C:WINNTsystem32tbchvtgj.dll",s
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:Program FilesLinksysWireless-G Notebook AdapterGcc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINNTwebrelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINNTwebrelated.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O15 - Trusted Zone: www.seahawkblue.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O20 - AppInit_DLLs: C:WINNTsystem32kus109.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:Program FilesLinksysWireless-G Notebook AdapterNICServ.exe

--
End of file - 3548 bytes


I have also run SD Fix, and here is its log:


SDFix: Version 1.158

Run by user on Wed 03/19/2008 at 7:07p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Checking Files :

Trojan Files Found:



Could Not Remove C:WINNTsystem32kus109.dat



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 19:31:02
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :

C:WINNTsystem32kus109.dat Found

File Backups: - C:SDFixbackupsbackups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:Program FilesSpybot - Search & DestroySDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:Program FilesSpybot - Search & DestroySpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:Program FilesSpybot - Search & DestroyTeaTimer.exe"

Finished!


When my machine boots up, I am still getting a bogus background urging me to buy their anti-virus software, if that helps anything. Of course, it doesn't mention who they are, just click on the button. Yeah, right. The regular background pops up until whatever is in the registry runs, then that bogus background pops up.

That's it! Thanks in advance for any help offered.

I forgot to mention, that when I ran SDFix, I encountered an error during its running. I received an urgent prompt from the Registry Editor stating, "Cannot import assosfix.reg: Error opening file. There may be a disk or file system error."

I guess that's a bit important, huh? Sorry about that.

Mod Edit: Merged posts ~ OB

Edited by Orange Blossom, 30 March 2008 - 12:40 AM.


BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:51 AM

Posted 02 April 2008 - 06:01 AM

Hello and welcome to BleepingComputer. :blink:

I apologize for the delay. The forums are extremely busy.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once we're finished.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
When disabled, please download ResetTeaTimer.bat.
Double-click ResetTeaTimer.bat to remove all entries set by TeaTimer. This is done so it can be re-enabled without problems after cleaning.

Then... Please follow the instructions for running ComboFix and post back with the results in this topic using AddReply. :thumbsup:
Hi there, stranger!

#3 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:51 AM

Posted 09 April 2008 - 06:06 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this topic reopened, please PM a Staff member.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users