Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log


  • This topic is locked This topic is locked
18 replies to this topic

#1 StEvE21

StEvE21

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 18 August 2005 - 10:48 AM

I was having trouble with malware and a dialer called SIXA. Adaware, Spybot- S&D, a-squared and AVG did not remove it. I did a system restore and it did not work the first time, but i have done another system restore and it seems to have worked but AVG still says I have infections that I cant get rid of.
Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 11:44:42 AM, on 18/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\msdevmgr32.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\m?iexec.exe
C:\Program Files\alst\uatr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62995EA0-52B5-9AA8-6969-BABD28D5A896} - C:\Program Files\FYI\kwwjdhjajs.dll (file missing)
O2 - BHO: UpdateCache Class - {6E28339B-7A2A-47B6-AEB2-46BA53782378} - C:\WINDOWS\System32\dllcache\explorer.dll
O2 - BHO: Msxml32DOMDocument Class - {6E28339B-7A2A-47B6-AEB2-46BA53782379} - C:\WINDOWS\System32\dllcache\msxml32.dll (file missing)
O2 - BHO: (no name) - {8D5BF108-16E3-3914-C55A-48A68FA863E7} - C:\WINDOWS\System32\igyixlo.dll
O2 - BHO: (no name) - {ADBD85BC-6655-1CF6-7F55-3DC169564CE6} - C:\WINDOWS\System32\wfbflp.dll
O2 - BHO: (no name) - {CBEE1405-0097-4D00-07FF-D2BD600F70AA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Device32 Manager] C:\WINDOWS\msdevmgr32.exe
O4 - HKLM\..\Run: [Windows Workstation Service(32-bits)] $w Uwww`I
O4 - HKLM\..\Run: [Windows File System Frame] ntframe.exe
O4 - HKLM\..\Run: [VIEW POINT DRIVERS FOR WIN32] phqghu.exe
O4 - HKLM\..\Run: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKLM\..\Run: [Sytem Confeg] GZKBXQX.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Optional Web Drivers For WIN32] phqghume.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Windows Workstation Service(32-bits)] $w Uwww`I
O4 - HKLM\..\RunServices: [Windows File System Frame] ntframe.exe
O4 - HKLM\..\RunServices: [VIEW POINT DRIVERS FOR WIN32] phqghu.exe
O4 - HKLM\..\RunServices: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKLM\..\RunServices: [Optional Web Drivers For WIN32] phqghume.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows File System Frame] ntframe.exe
O4 - HKCU\..\Run: [VIEW POINT DRIVERS FOR WIN32] phqghu.exe
O4 - HKCU\..\Run: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKCU\..\Run: [Zvxz] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [Optional Web Drivers For WIN32] phqghume.exe
O4 - HKCU\..\Run: [Osbt] C:\Program Files\alst\uatr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] winmsn.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] winmsn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: http://spaces.msn.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c7.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{730F6D7F-4C21-4917-B81B-A95CFEEA44F8}: NameServer = 207.236.176.26 206.47.244.89
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe

Edited by StEvE21, 18 August 2005 - 10:48 AM.


BC AdBot (Login to Remove)

 


m

#2 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 20 August 2005 - 07:19 PM

Hi, Steve.

You have a really nasty collection of malware in your log.
Some are trojans that use a backdoor to connect to the internet. Let's try to shutdown a couple of them long enough to install a firewall. Once installed, block everything you don't recognize. Your anitvirus may be disabled and not functioning.

Your system restore points are also infected, don't restore again. We will clear all restore points once your system is clean.

Right click any empty area of the taskbar at the bottom of the screen and choose taskmanager. On the processes tab, scroll down to msdevmgr32.exe.
Hightlight it, right click and choose end process.

Next, click the windows start button, then Run...
Type in services.msc and ok
In services, scroll down to netinfo and double click it to open the properties box
On the general tab, under service status click stop, if it's started
At startup type, click the drop down arrow and choose disabled
Click Apply then ok
Exit from services.

If you are unable to complete these steps, continue with the next steps anyway.

Download and install the free version of Zone alarm firewall from PCworld.

Download Stinger, a standalone virus scanner. Scan with stinger.

Next, please download, install, and update the free version of ewido security suite:
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Click on update in the left menu, then click the Start update button.
After the update finishes, exit from ewido as it should be run in safemode.

Reboot into safemode
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Open Ewido and click on the Scanner button in the left menu, then click on complete system scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok.
When the scan finishes, click on "Save Report".

It's probably a good idea to repeat your scans with adaware and spybot while in safemode. They may function better in safemode.

Reboot to normal mode.
Scan with hijackthis and post a fresh log.
Also post the report from ewido.
Posted Image

#3 StEvE21

StEvE21
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 20 August 2005 - 10:45 PM

Hey JG427,
Thanks for your time and help.
I have done everything in your instructions up until " After the update finishes, exit from ewido as it should be run in safemode."
I dont think I can follow the rest of your steps, because I have already tried running adaware and spybot in safemode, but I couldn't because my mouse doesnt work in safe mode. I will try again, but is there anything else I can do?
Also, would I have to repeat the steps "Right click any empty area of the taskbar at the bottom of the screen..." and "Next, click the windows start button, then Run..." if I were to restart my computer, or when I reboot in safe mode?
Thanks.

Edited by StEvE21, 20 August 2005 - 10:49 PM.


#4 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 21 August 2005 - 12:02 AM

Run ewido in normal mode if safemode doesn't work.
I would still follow it with adaware and spybot scans.

No need to open taskmanager or services for now.
Hopefully, stinger has removed the trojan that was running.
Posted Image

#5 StEvE21

StEvE21
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 21 August 2005 - 02:15 PM

I just ran ewido, and the scan is finished. It began cleaning the infections, and after every time it cleans about 3 infections it says some of them cannot be removed because they are embedded in archives. It asks if I would like to remove the whole archive...what do I do when it says this?
Thanks.
NVM[COLOR=blue]

Edited by StEvE21, 21 August 2005 - 03:10 PM.


#6 StEvE21

StEvE21
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 21 August 2005 - 03:39 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:57:52 PM, on 21/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\msdevmgr32.exe
C:\WINDOWS\System32\GZKBXQX.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\m?iexec.exe
C:\Program Files\alst\uatr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62995EA0-52B5-9AA8-6969-BABD28D5A896} - C:\Program Files\FYI\kwwjdhjajs.dll (file missing)
O2 - BHO: UpdateCache Class - {6E28339B-7A2A-47B6-AEB2-46BA53782378} - C:\WINDOWS\System32\dllcache\explorer.dll (file missing)
O2 - BHO: Msxml32DOMDocument Class - {6E28339B-7A2A-47B6-AEB2-46BA53782379} - C:\WINDOWS\System32\dllcache\msxml32.dll (file missing)
O2 - BHO: (no name) - {8D5BF108-16E3-3914-C55A-48A68FA863E7} - C:\WINDOWS\System32\igyixlo.dll
O2 - BHO: (no name) - {ADBD85BC-6655-1CF6-7F55-3DC169564CE6} - C:\WINDOWS\System32\wfbflp.dll (file missing)
O2 - BHO: (no name) - {CBEE1405-0097-4D00-07FF-D2BD600F70AA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Device32 Manager] C:\WINDOWS\msdevmgr32.exe
O4 - HKLM\..\Run: [Windows Workstation Service(32-bits)] $w Uwww`I
O4 - HKLM\..\Run: [Windows File System Frame] ntframe.exe
O4 - HKLM\..\Run: [Sytem Confeg] GZKBXQX.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Windows Workstation Service(32-bits)] $w Uwww`I
O4 - HKLM\..\RunServices: [Windows File System Frame] ntframe.exe
O4 - HKLM\..\RunServices: [Optional Web Drivers For WIN32] phqghume.exe
O4 - HKCU\..\Run: [Windows File System Frame] ntframe.exe
O4 - HKCU\..\Run: [Zvxz] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [Osbt] C:\Program Files\alst\uatr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] winmsn.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] winmsn.exe
O4 - HKCU\..\RunOnce: [Sytem Confeg] GZKBXQX.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll (file missing)
O15 - Trusted Zone: http://spaces.msn.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c7.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{730F6D7F-4C21-4917-B81B-A95CFEEA44F8}: NameServer = 207.236.176.26 206.47.244.89
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:24:27 PM, 21/08/2005
+ Report-Checksum: 52DF358E

+ Scan result:

[1572] C:\WINDOWS\System32\phqghu.exe -> Backdoor.Rbot.mg : Cleaned with backup
[1580] C:\WINDOWS\System32\phqghume.exe -> Backdoor.Rbot.mg : Cleaned with backup
C:\cd45.exe/y.bat -> Trojan.Zapchast : Cleaned with backup
:mozilla.6:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\8vdcxq2c.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\8vdcxq2c.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4VEZIJAL\adult1[1].exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4VEZIJAL\adult1[2].exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4VEZIJAL\m11[1].jpg/y.bat -> Trojan.Zapchast : Error during cleaning
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8DKP4ZYJ\klik[1].exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GX2V89AJ\pnp[1].exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\Documents and Settings\Silvio and Anna\%SYSROOT%\kansy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Silvio and Anna\%SYSROOT%\kany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Silvio and Anna\Cookies\silvio and anna@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Silvio and Anna\e8a.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Silvio and Anna\e8a.exe/rany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Silvio and Anna\e8ad79.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Silvio and Anna\e8ad79.exe/rany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Silvio and Anna\ea7.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Silvio and Anna\ea7.exe/rany.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Silvio and Anna\Local Settings\Temporary Internet Files\Content.IE5\54PW01LZ\krisback[1].jpg/y.bat -> Trojan.Zapchast : Error during cleaning
C:\Documents and Settings\Silvio and Anna\Local Settings\Temporary Internet Files\Content.IE5\Q9D6RR57\3e8ad79a0434[1].jpg/ransy.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Silvio and Anna\Local Settings\Temporary Internet Files\Content.IE5\Q9D6RR57\3e8ad79a0434[1].jpg/rany.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Steven\%SYSROOT%\kansy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Steven\%SYSROOT%\kany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Steven\354fx.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Steven\354fx.exe/rany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Steven\446.exe/y.bat -> Trojan.Zapchast : Cleaned with backup
C:\Documents and Settings\Steven\Cookies\steven@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Steven\Cookies\steven@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Steven\e8a.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Steven\e8a.exe/rany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\Documents and Settings\Steven\e8ad7.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Steven\e8ad7.exe/rany.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Steven\e8ad79.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Steven\e8ad79.exe/rany.reg -> Trojan.WinREG.LowZones.f : Error during cleaning
C:\Documents and Settings\Steven\Local Settings\Temp\Cookies\steven@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Steven\Local Settings\Temp\Del37.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Steven\Local Settings\Temporary Internet Files\Content.IE5\AP4JA3GJ\krisback[1].jpg/y.bat -> Trojan.Zapchast : Error during cleaning
C:\QMBXF.exe -> Backdoor.Rbot.ur : Cleaned with backup
C:\UYGMN.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\defrag32.exe/4.html -> Spyware.Linker : Error during cleaning
C:\WINDOWS\defrag32.exe/ss.exe -> Trojan.LowZones.d : Error during cleaning
C:\WINDOWS\Edit.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\ra.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\ransy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\rany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\%SYSROOT%\kansy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\%SYSROOT%\kany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\aqpdooif.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\aqpdooif.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\axwdeqhn.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\axwdeqhn.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\azzr.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\azzr.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\blkviekt.exe/ss.exe -> Trojan.LowZones.d : Error during cleaning
C:\WINDOWS\system32\blkviekt.exe/3.html -> Spyware.Linker : Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BFP6YRQR\bridge-c7[1].cab/MediaAccX.dll -> Spyware.WinAD : Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RYONSQ9M\MediaTicketsInstaller[1].cab/MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Error during cleaning
C:\WINDOWS\system32\csrmwqld.exe/ss.exe -> Trojan.LowZones.d : Error during cleaning
C:\WINDOWS\system32\csrmwqld.exe/3.html -> Spyware.Linker : Error during cleaning
C:\WINDOWS\system32\dkzyz.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\dkzyz.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\dllcache\explorer.dll -> TrojanSpy.Small.cz : Cleaned with backup
C:\WINDOWS\system32\dwdnkm.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\dwdnkm.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\e8a.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\e8a.exe/rany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\e8ad7.exe/ransy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\e8ad7.exe/rany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\e8ad79.exe/kansy.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\e8ad79.exe/kany.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\system32\eczwlq.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\eczwlq.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\efeoz.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\efeoz.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\evhic.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\evhic.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\fboaups.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\fboaups.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\fcibdyki.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\fcibdyki.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\fczyg.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\fczyg.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\gjlpsxh.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\gjlpsxh.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\grofpll.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\grofpll.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\gvny.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\gvny.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\hbvriiy.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\hbvriiy.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\hibskes.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\hibskes.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\hlgwted.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\hlgwted.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\huweyh.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\huweyh.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\ivxjd.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\ivxjd.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\ksbvyurm.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\ksbvyurm.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\kxcwk.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\kxcwk.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\kzcpt.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\kzcpt.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\laavcwqe.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\laavcwqe.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\lqiqrese.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\lqiqrese.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\mimz.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\mimz.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\orans.sys -> Trojan.Rootkit.Agent.ae : Cleaned with backup
C:\WINDOWS\system32\pffre.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\pffre.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\pgpafhcj.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\pgpafhcj.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\phqghume.exe -> Backdoor.Rbot.ur : Cleaned with backup
C:\WINDOWS\system32\pjlsx.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\pjlsx.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\ppeefd.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\ppeefd.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\pzlbr.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\pzlbr.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\qgkt.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\qgkt.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\qjibkzqu.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\qjibkzqu.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\qpndil.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\qpndil.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\qwsycw.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\qwsycw.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\qxfqsh.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\qxfqsh.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\WINDOWS\system32\rzkjkai.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\rzkjkai.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\shmdhzzu.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\shmdhzzu.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\ssteaalr.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\ssteaalr.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\uifp.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\uifp.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\utmngcw.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\utmngcw.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\uwdjskjz.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\uwdjskjz.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\vfwjlbn.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\vfwjlbn.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\vojza.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\vojza.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\vyefqys.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\vyefqys.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\wfbflp.dll -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\wqkcjet.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\wqkcjet.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\wxlhnj.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\wxlhnj.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\xgzcgsco.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\xgzcgsco.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\xleue.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\xleue.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\xzuikg.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\xzuikg.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\yqqh.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\yqqh.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\yryrpyaj.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\yryrpyaj.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\zqtgskv.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\zqtgskv.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\zsgk.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\zsgk.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\system32\zzocszz.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\zzocszz.exe/3.html -> Spyware.Linker : Cleaned with backup
C:\WINDOWS\Temp\eraseme_27527.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\Temp\eraseme_41762.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\Temp\ICD1.tmp\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\uhrgvzs.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\y.bat -> Trojan.Zapchast : Cleaned with backup
C:\WINDOWS\y.exe/y.bat -> Trojan.Zapchast : Cleaned with backup


::Report End


BTW I ran Ewido and HJT and saved the logs twice. Would you like to see the 2nd results?

#7 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 21 August 2005 - 08:10 PM

It asks if I would like to remove the whole archive...what do I do when it says this?


Don't remove them yet, let's look at the new log first. Some bad files are in temp. folders.
Download CCleaner and run the installer ccsetup115.exe.
CCleaner is a utility that will remove unused and temporary files from your system.
Open CCleaner and uncheck cookies on the windows and applications tabs, if you have cookies you want to keep. Click run cleaner in the lower right corner.

Some files and folders may be hidden , change these settings to show them.
Open Windows Explorer & Go to Tools > Folder Options.
Click on the View tab
Place a checkmark at "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Uncheck "hide extensions for known file types"
click "Apply to all folders"
Click "Apply" then "OK"

Some files listed to delete do not show the file path.
Change these search settings to search for hidden and system files:
Click start > search > change preferences
Click "change file and folder search behavior"
Choose "advanced" then ok
Click the drop down arrow at "more advanced options"
Place a checkmark at the following:
search system folders
search hidden files and folders
search subfolders

Copy the following instructions and paste into notepad to use when this browser window must be closed.
Also close notepad when you click fix checked in hijackthis, then you can reopen it .

Scan with hijackthis and checkmark these lines:

O2 - BHO: (no name) - {62995EA0-52B5-9AA8-6969-BABD28D5A896} - C:\Program Files\FYI\kwwjdhjajs.dll (file missing)
O2 - BHO: UpdateCache Class - {6E28339B-7A2A-47B6-AEB2-46BA53782378} - C:\WINDOWS\System32\dllcache\explorer.dll (file missing)
O2 - BHO: Msxml32DOMDocument Class - {6E28339B-7A2A-47B6-AEB2-46BA53782379} - C:\WINDOWS\System32\dllcache\msxml32.dll (file missing)
O2 - BHO: (no name) - {8D5BF108-16E3-3914-C55A-48A68FA863E7} - C:\WINDOWS\System32\igyixlo.dll
O2 - BHO: (no name) - {ADBD85BC-6655-1CF6-7F55-3DC169564CE6} - C:\WINDOWS\System32\wfbflp.dll (file missing)
O2 - BHO: (no name) - {CBEE1405-0097-4D00-07FF-D2BD600F70AA} - (no file)



O4 - HKLM\..\Run: [Microsoft Device32 Manager] C:\WINDOWS\msdevmgr32.exe
O4 - HKLM\..\Run: [Windows Workstation Service(32-bits)] $w Uwww`I
O4 - HKLM\..\Run: [Windows File System Frame] ntframe.exe
O4 - HKLM\..\Run: [Sytem Confeg] GZKBXQX.EXE

O4 - HKLM\..\RunServices: [Windows Workstation Service(32-bits)] $w Uwww`I
O4 - HKLM\..\RunServices: [Windows File System Frame] ntframe.exe
O4 - HKLM\..\RunServices: [Optional Web Drivers For WIN32] phqghume.exe
O4 - HKCU\..\Run: [Windows File System Frame] ntframe.exe
O4 - HKCU\..\Run: [Zvxz] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [Osbt] C:\Program Files\alst\uatr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] winmsn.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] winmsn.exe
O4 - HKCU\..\RunOnce: [Sytem Confeg] GZKBXQX.EXE

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c7.cab

Close all browsers and open windows, except hijackthis, and click fix checked.

Delete these files or folders marked in bold:
(some may be missing, delete all you find)

C:\Program Files\FYI<-- folder
C:\WINDOWS\msdevmgr32.exe
C:\Program Files\alst\<--folder

Click on the start button then search.
Enter the file name and look in C:
Delete any you find including prefetch locations.
$w Uwww`I<-- I'm not sure what to make of this, copy and paste into the search box,
I think it will be missing. Also search for wkssvc32.exe, it's the file name normally associated with this line.

ntframe.exe
winmsn.exe
GZKBXQX.EXE


One file we need to delete, has a similar name as a windows system file.
Let's use the following batch file to list all copies of the file on your system.

Copy the contents of the quote box.
Right click an empty area of the desktop and choose new > text document.
Right click and paste the text from the quote box into the .txt
Click file >"Save as", name it FindFile.bat and change save as type to "all files".
Save to your desktop.

dir %Systemdrive%\m?iexec.exe /a h /s > files.txt
start notepad files.txt

Double-click on FindFile.bat.
It will open files.txt
Please post the contents here.


Scan again with ewido and post the latest log.
Restart your system after the ewido scan, then scan with hijackthis.

Please post the new ewido log, the hijackthis log and the results of the findfile.bat.
Posted Image

#8 StEvE21

StEvE21
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 August 2005 - 10:59 AM

Was this supposed to happen?
I closed all open windows except HJT, and I clicked "scan checked." It started, then an error message popped up. It did this a couple of times.
This is what it said:
Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath($w).

Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard.

Do I procceed with the next steps?
Also, what is a prefetch location?
Thanks again.

Edited by StEvE21, 22 August 2005 - 11:05 AM.


#9 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 August 2005 - 02:29 PM

Scan and checkmark the lines again, except leave out this line:
O4 - HKLM\..\Run: [Windows Workstation Service(32-bits)] $w Uwww`I

I guess hijackthis didn't know what to make of it either.
We may need to manually remove that one in the registry later.

Next, continue with the file deletions.

Prefetch stores information on each file you load to improve start up time. In this case it would be information about the bad files. The file name will be the same, except it will have .pf at the end. You can safetly delete any or all .pf files, windows will rebuild the ones that you use again. For example, explorer.exe would have a prefetch similar to EXPLORER.EXE-082F38A9.pf. They will show up in search results when you run a search so delete the bad file and badfile.exe.pf.
Posted Image

#10 StEvE21

StEvE21
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 August 2005 - 04:00 PM

I deleted the file "msdevmgr32.exe" and the folder "alst."
The search didnt find "$w Uwww`I" or "wkssvc32.exe"
The search only found a .pf file of "ntframe.exe" and "winmsn.exe"
I deleted " GZKBXQX.EXE" and its prefetch location.

This is the text from findfile.bat

Volume in drive C has no label.
Volume Serial Number is 8861-7D25

Directory of C:\WINDOWS\system32

23/08/2001 08:00 AM 63,488 msiexec.exe
08/08/2005 09:23 AM 401,408 m?iexec.exe
2 File(s) 464,896 bytes

Directory of C:\WINDOWS\system32\dllcache

23/08/2001 08:00 AM 63,488 msiexec.exe
1 File(s) 63,488 bytes

Directory of C:\WINNT\system32

07/12/1999 08:00 AM 47,888 msiexec.exe
1 File(s) 47,888 bytes

Directory of C:\WINNT\system32\dllcache

07/12/1999 08:00 AM 47,888 msiexec.exe
1 File(s) 47,888 bytes

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:50:50 PM, 22/08/2005
+ Report-Checksum: 1DA2B406

+ Scan result:

C:\Documents and Settings\Steven\Cookies\steven@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup


::Report End

#11 StEvE21

StEvE21
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 August 2005 - 04:13 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:07:02 PM, on 22/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll (file missing)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll (file missing)
O15 - Trusted Zone: http://spaces.msn.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 August 2005 - 05:34 PM

Looking better and better!

Only some clean up left to do, no bad files remain in your running processs.


Go to start > run and copy and paste the following in the field:
sc delete MAPI
Click ok

Here is the bad file to delete from the findfile.bat:
C:\WINDOWS\system32\m?iexec.exe

Before deleting, check the date and file size by right clicking the file > properties
08/08/2005 09:23 AM 401,408 m?iexec.exe
The ? is a wildcard character, it may be replaced by another character.
That's why we need to check date and file size.
Do not delete this one: 23/08/2001 08:00 AM 63,488 msiexec.exe

We need to work on adding some prevention to your system.
The most critical step is to visit windows update, click express install and install all critical updates.
Turn on automatic updates and allow it to install service pack 2.
Your system is wide open to attack until this is done.

I also recommend these free programs:
SpywareBlaster helps prevent spyware from installing in the first place.
IE-SPYAD adds a long list of sites to the restricted sites zone of internet explorer.
Microsoft Windows AntiSpyware (Beta)
Detects and removes known spyware from your system. Includes real time protection to monitor changes to your system and provides the option for you to allow or block the change.


Check in a new scan with hijackthis for this line:
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)

Did we get rid of that one?
How is your system running now?
Posted Image

#13 StEvE21

StEvE21
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 August 2005 - 05:40 PM

when I paste "sc delete MAPI" and click ok, a window opens and then closes right away.
It is black, and looks something like command prompt. Can I delete "m?iexec.exe" from somewhere else?

#14 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 August 2005 - 06:46 PM

I'm sorry, I should have explained better.
The first part is to delete the service "MAPI" contained in the hijackthis line:
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)
Edit: Command prompt did open to delete mapi, move on to the second part.


Use windows explorer to delete the file m?iexec.exe by right clicking the start button on the taskbar and choose explore. Navigate to C:\WINDOWS\system32\ , locate and delete the file there. Remember to right click the file and check properties as listed in my last post before deleting.

Edited by JG427, 22 August 2005 - 06:50 PM.

Posted Image

#15 StEvE21

StEvE21
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 August 2005 - 08:13 PM

NP...
I deleted the right m?iexec.exe.
while I was in system32, I saw 2 files that I thought u should know about.
One was called "mapi.32.dll" and the other was "mapistub.dll" Should these be deleted?
I ran HJT and there was no "O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)."

If/ when we are done cleaning out the bad files, can I reenable system restore and change my settings to not show hidden files and folders anymore?

Also, I have a lot of AS and AV programs. Do you think I need all of these: stinger, spybot- S&D, Adaware, CWShredder, Ewido, and Zonealarm. Should I still download Spywareblaster?

Edited by StEvE21, 22 August 2005 - 08:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users