Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans


  • This topic is locked This topic is locked
12 replies to this topic

#1 Hanz

Hanz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 27 February 2006 - 04:20 PM

I'll really apreciate if someone can tell me how to eliminate this virus from my computer. Sometimes a lot of internet pages and advertising banners open in my computer's screen so please help me! and thanx a lot!!!! :thumbsup:

the specific name of trojans that i've found:

TROJ_DLOADER.AW
TROJ_QOULOGIC.AA
TROJ_QUOLOGIC.AJ

Logfile of HijackThis v1.99.1
Scan saved at 03:03:56 a.m., on 28/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Network Monitor\netmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\Archivos de programa\Real\RealPlayer\RealPlay.exe
C:\windows\winsysban11.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\Archivos de programa\Windows Media Player\wmplayer.exe
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\Archivos de programa\WinRAR\WinRAR.exe
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Luis Teuffer\Escritorio\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-mx\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [RealTray] C:\Archivos de programa\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [winsysupd] c:\\winsysupd12.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames12.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Archivos de programa\Network\ipnetwork.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\enlol1331.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\THVpcyBUZXVmZmVy\command.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Archivos de programa\Network Monitor\netmon.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 27 February 2006 - 04:31 PM

Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder, double click l2mfix.bat
  • Select option #2 for Run Fix by typing 2 and then pressing enter ONCE.
Do NOT depress any keys on your keyboard until the tool request you to "press any key to reboot"

On the reboot notepad will open with a log. Copy/paste the contents of that log back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder to locate log.txt.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.

#3 Hanz

Hanz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 27 February 2006 - 07:04 PM

Here is the text that appears, i will apreciate ur help thanks

L2mfix 010406
Creating Account.
Se ha completado el comando correctamente.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 428 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 508 'winlogon.exe'
Killing PID 508 'winlogon.exe'
Killing PID 508 'winlogon.exe'
Killing PID 508 'winlogon.exe'
Killing PID 508 'winlogon.exe'
Killing PID 508 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1528 'explorer.exe'
Killing PID 1528 'explorer.exe'
Killing PID 1528 'explorer.exe'
Killing PID 1528 'explorer.exe'
Killing PID 1528 'explorer.exe'
Killing PID 1528 'explorer.exe'
Killing PID 1528 'explorer.exe'
Killing PID 1528 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1324 'rundll32.exe'
Killing PID 1324 'rundll32.exe'
Killing PID 1324 'rundll32.exe'
Killing PID 1324 'rundll32.exe'
Killing PID 1324 'rundll32.exe'
Restoring Sedebugprivilege:

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
1 archivos copiados.
Deleting: C:\WINDOWS\system32\e2202cfmgf2a2.dll
Successfully Deleted: C:\WINDOWS\system32\e2202cfmgf2a2.dll
Deleting: C:\WINDOWS\system32\en46l1hs1.dll
Successfully Deleted: C:\WINDOWS\system32\en46l1hs1.dll
Deleting: C:\WINDOWS\system32\en64l1jq1.dll
Successfully Deleted: C:\WINDOWS\system32\en64l1jq1.dll
Deleting: C:\WINDOWS\system32\enjul1191.dll
Successfully Deleted: C:\WINDOWS\system32\enjul1191.dll
Deleting: C:\WINDOWS\system32\enp2l17o1.dll
Successfully Deleted: C:\WINDOWS\system32\enp2l17o1.dll
Deleting: C:\WINDOWS\system32\enpql1751.dll
Successfully Deleted: C:\WINDOWS\system32\enpql1751.dll
Deleting: C:\WINDOWS\system32\h44m0eh1eh4.dll
Successfully Deleted: C:\WINDOWS\system32\h44m0eh1eh4.dll
Deleting: C:\WINDOWS\system32\i4lo0e33eh.dll
Successfully Deleted: C:\WINDOWS\system32\i4lo0e33eh.dll
Deleting: C:\WINDOWS\system32\ir22l5fo1.dll
Successfully Deleted: C:\WINDOWS\system32\ir22l5fo1.dll
Deleting: C:\WINDOWS\system32\irp0l57m1.dll
Successfully Deleted: C:\WINDOWS\system32\irp0l57m1.dll
Deleting: C:\WINDOWS\system32\k4440ehqeh4e0.dll
Successfully Deleted: C:\WINDOWS\system32\k4440ehqeh4e0.dll
Deleting: C:\WINDOWS\system32\kxdusr.dll
Successfully Deleted: C:\WINDOWS\system32\kxdusr.dll
Deleting: C:\WINDOWS\system32\l66olgj316o.dll
Successfully Deleted: C:\WINDOWS\system32\l66olgj316o.dll
Deleting: C:\WINDOWS\system32\m682lglo16qc.dll
Successfully Deleted: C:\WINDOWS\system32\m682lglo16qc.dll
Deleting: C:\WINDOWS\system32\o0ns0a57ed.dll
Successfully Deleted: C:\WINDOWS\system32\o0ns0a57ed.dll
Deleting: C:\WINDOWS\system32\p2n8lc5u1f.dll
Successfully Deleted: C:\WINDOWS\system32\p2n8lc5u1f.dll
Deleting: C:\WINDOWS\system32\p68qlgl516q.dll
Successfully Deleted: C:\WINDOWS\system32\p68qlgl516q.dll
Deleting: C:\WINDOWS\system32\q0nu0a59ed.dll
Successfully Deleted: C:\WINDOWS\system32\q0nu0a59ed.dll
Deleting: C:\WINDOWS\system32\q6rqlg9516.dll
Successfully Deleted: C:\WINDOWS\system32\q6rqlg9516.dll
Deleting: C:\WINDOWS\system32\r6r6lg9s16.dll
Successfully Deleted: C:\WINDOWS\system32\r6r6lg9s16.dll
Deleting: C:\WINDOWS\system32\xqsp2res.dll
Successfully Deleted: C:\WINDOWS\system32\xqsp2res.dll

msg11?.dll
0 archivos copiados.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irp0l57m1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\e2202cfmgf2a2.dll
C:\WINDOWS\system32\en46l1hs1.dll
C:\WINDOWS\system32\en64l1jq1.dll
C:\WINDOWS\system32\enjul1191.dll
C:\WINDOWS\system32\enp2l17o1.dll
C:\WINDOWS\system32\enpql1751.dll
C:\WINDOWS\system32\h44m0eh1eh4.dll
C:\WINDOWS\system32\i4lo0e33eh.dll
C:\WINDOWS\system32\ir22l5fo1.dll
C:\WINDOWS\system32\irp0l57m1.dll
C:\WINDOWS\system32\k4440ehqeh4e0.dll
C:\WINDOWS\system32\kxdusr.dll
C:\WINDOWS\system32\l66olgj316o.dll
C:\WINDOWS\system32\m682lglo16qc.dll
C:\WINDOWS\system32\o0ns0a57ed.dll
C:\WINDOWS\system32\p2n8lc5u1f.dll
C:\WINDOWS\system32\p68qlgl516q.dll
C:\WINDOWS\system32\q0nu0a59ed.dll
C:\WINDOWS\system32\q6rqlg9516.dll
C:\WINDOWS\system32\r6r6lg9s16.dll
C:\WINDOWS\system32\xqsp2res.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{68A5A1C8-EB05-4633-96FA-8D41383AFF9E}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{68A5A1C8-EB05-4633-96FA-8D41383AFF9E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68A5A1C8-EB05-4633-96FA-8D41383AFF9E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68A5A1C8-EB05-4633-96FA-8D41383AFF9E}\InprocServer32]
@="C:\\WINDOWS\\system32\\jiproxy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{56386150-6119-43BC-8218-24CF99582864}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56386150-6119-43BC-8218-24CF99582864}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56386150-6119-43BC-8218-24CF99582864}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56386150-6119-43BC-8218-24CF99582864}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CA0A4002-B2F2-479D-8808-833E6CC26E83}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA0A4002-B2F2-479D-8808-833E6CC26E83}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA0A4002-B2F2-479D-8808-833E6CC26E83}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA0A4002-B2F2-479D-8808-833E6CC26E83}\InprocServer32]
@="C:\\WINDOWS\\system32\\kxdusr.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{68A5A1C8-EB05-4633-96FA-8D41383AFF9E}"=-
"{56386150-6119-43BC-8218-24CF99582864}"=-
"{CA0A4002-B2F2-479D-8808-833E6CC26E83}"=-
[-HKEY_CLASSES_ROOT\CLSID\{68A5A1C8-EB05-4633-96FA-8D41383AFF9E}]
[-HKEY_CLASSES_ROOT\CLSID\{56386150-6119-43BC-8218-24CF99582864}]
[-HKEY_CLASSES_ROOT\CLSID\{CA0A4002-B2F2-479D-8808-833E6CC26E83}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/e2202cfmgf2a2.dll (164 bytes security) (deflated 5%)
adding: dlls/en46l1hs1.dll (164 bytes security) (deflated 6%)
adding: dlls/en64l1jq1.dll (164 bytes security) (deflated 5%)
adding: dlls/enjul1191.dll (164 bytes security) (deflated 4%)
adding: dlls/enp2l17o1.dll (164 bytes security) (deflated 4%)
adding: dlls/enpql1751.dll (164 bytes security) (deflated 5%)
adding: dlls/h44m0eh1eh4.dll (164 bytes security) (deflated 4%)
adding: dlls/i4lo0e33eh.dll (164 bytes security) (deflated 4%)
adding: dlls/ir22l5fo1.dll (164 bytes security) (deflated 4%)
adding: dlls/irp0l57m1.dll (164 bytes security) (deflated 5%)
adding: dlls/k4440ehqeh4e0.dll (164 bytes security) (deflated 4%)
adding: dlls/kxdusr.dll (164 bytes security) (deflated 5%)
adding: dlls/l66olgj316o.dll (164 bytes security) (deflated 5%)
adding: dlls/m682lglo16qc.dll (164 bytes security) (deflated 6%)
adding: dlls/o0ns0a57ed.dll (164 bytes security) (deflated 5%)
adding: dlls/p2n8lc5u1f.dll (164 bytes security) (deflated 6%)
adding: dlls/p68qlgl516q.dll (164 bytes security) (deflated 5%)
adding: dlls/q0nu0a59ed.dll (164 bytes security) (deflated 4%)
adding: dlls/q6rqlg9516.dll (164 bytes security) (deflated 6%)
adding: dlls/r6r6lg9s16.dll (164 bytes security) (deflated 5%)
adding: dlls/xqsp2res.dll (164 bytes security) (deflated 5%)
adding: backregs/56386150-6119-43BC-8218-24CF99582864.reg (212 bytes security) (deflated 70%)
adding: backregs/68A5A1C8-EB05-4633-96FA-8D41383AFF9E.reg (212 bytes security) (deflated 69%)
adding: backregs/CA0A4002-B2F2-479D-8808-833E6CC26E83.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 27 February 2006 - 07:08 PM

May I have a fresh HijackThis log?

#5 Hanz

Hanz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 27 February 2006 - 07:22 PM

this is the newest log the hijackthis show

Logfile of HijackThis v1.99.1
Scan saved at 06:24:34 a.m., on 28/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Network Monitor\netmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\Archivos de programa\Real\RealPlayer\RealPlay.exe
C:\windows\winsysban11.exe
C:\Archivos de programa\Network\ipnetwork.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Archivos de programa\Trend Micro\PC-cillin 9\WebTrap.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Luis Teuffer\Escritorio\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-mx\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [RealTray] C:\Archivos de programa\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Archivos de programa\Network\ipnetwork.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\irp0l57m1.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\THVpcyBUZXVmZmVy\command.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Archivos de programa\Network Monitor\netmon.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 27 February 2006 - 07:35 PM

Well done. We got rid of one of the main infections. Let's press on wth the disinfection

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Posted Image
  • Download and run - bfu.zip
  • Checkmark the following boxes:
    • Use settings specified in script for the above option
    • Show log after script ends
  • Click the Web button located on the top right corner
  • Copy/Paste this url into the address bar of the Download script window:

    http://metallica.geekstogo.com/alcanshorty.bfu

  • Execute the script by clicking the Execute button.
  • When it finishes running, click the Save button for a copy of the log
  • Post the log created by the script when you have completed the fix
* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Click Start -> Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - Command Service (cmdService)
  • Double-click on it to open the Properties dialog.
    - Change the Startup type to Disabled & then click on the Apply button
    - Stop the service by using the Stop button.
  • Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
  • In the popup box that appears, copy/paste cmdService
  • Click on the OK button & answer No if prompted to reboot
Repeat steps 1-5 for these other services :-
  • Network Monitor
* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban11.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Archivos de programa\Network\ipnetwork.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\irp0l57m1.dll (file missing)



* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Archivos de programa\Network Monitor\
    C:\windows\winsysban11.exe
    C:\Archivos de programa\Network\
    C:\winsysupd12.exe
    C:\gimmygames12.exe
    C:\WINDOWS\THVpcyBUZXVmZmVy\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • BFU's log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#7 Hanz

Hanz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 February 2006 - 12:04 AM

surry if i am late posting this, but i was a little bit busy
here is the new log


BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 10:59:18 a.m., on 28/02/2006

Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FileDelete C:\Archivos de programa\Common Files\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Archivos de programa\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Archivos de programa\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Archivos de programa\Network\ipnetwork.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\LUISTE~1\CONFIG~1\Temp\~DF7969.tmp (operation failed)
Failed: FolderDelete C:\WINDOWS\Temp\Historial (operation failed)
Failed: FolderDelete C:\Archivos de programa\Maxifiles (folder not found)
Failed: FolderDelete C:\Archivos de programa\DNS (folder not found)
Failed: FolderDelete C:\Archivos de programa\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Archivos de programa\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Archivos de programa\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Archivos de programa\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Archivos de programa\MsConfigs (folder not found)
Failed: FolderDelete C:\Archivos de programa\winupdates (folder not found)
Failed: FolderDelete C:\Archivos de programa\winupdate (folder not found)
Failed: FolderDelete C:\Archivos de programa\winsupdater (folder not found)
Failed: FolderDelete C:\Archivos de programa\MsUpdate (folder not found)
Failed: FolderDelete C:\Archivos de programa\MsMovies (folder not found)
Failed: FolderDelete C:\Archivos de programa\wmplayer (folder not found)
Script completed.

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 28 February 2006 - 12:06 AM

Where are the rest of the logs?

#9 Hanz

Hanz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 February 2006 - 12:16 AM

thats just the bfu.zip log, so i have a doubt, i must do all the additionals downloads?

#10 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 28 February 2006 - 12:17 AM

The Bfu takes care of another one of your infections.

The rest of the downloads would do the cleaning up.

#11 Hanz

Hanz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 02 March 2006 - 01:19 PM

hey, i've just scaned my computer with 'Ewidow' and it showed this log
in some of the files it shows the text 'mistake during the cleanning', so i have a doubt about that, what can i do?
---------------------------------------------------------
ewido anti-malware - Report de exploración
---------------------------------------------------------

+ Creado en: 12:00:14 a.m., 03/03/2006
+ Report-Checksum: 53843932

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{6001CDF7-6F45-471b-A203-0225615E35A7} -> Adware.Generic : Limpio con backup
HKLM\SOFTWARE\HbTools -> Adware.HotBar : Limpio con backup
HKLM\SOFTWARE\HbTools\HbTools -> Adware.HotBar : Limpio con backup
HKLM\SOFTWARE\HbTools\HbTools\PI -> Adware.HotBar : Limpio con backup
HKLM\SOFTWARE\HbTools\HbTools\PI\3.2 -> Adware.HotBar : Limpio con backup
HKLM\SOFTWARE\HbTools\Hotbar -> Adware.HotBar : Limpio con backup
HKLM\SOFTWARE\HbTools\Hotbar\Install -> Adware.HotBar : Limpio con backup
HKU\S-1-5-21-1757981266-920026266-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@112.2o7[2].txt -> TrackingCookie.2o7 : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@ad.adocean[2].txt -> TrackingCookie.Adocean : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@ads20.hyperbanner[1].txt -> TrackingCookie.Hyperbanner : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@atdmt[2].txt -> TrackingCookie.Atdmt : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@axa.addcontrol[1].txt -> TrackingCookie.Addcontrol : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@burstnet[2].txt -> TrackingCookie.Burstnet : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@casalemedia[2].txt -> TrackingCookie.Casalemedia : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@com[2].txt -> TrackingCookie.Com : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@educationsuccess.122.2o7[1].txt -> TrackingCookie.2o7 : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@fastclick[1].txt -> TrackingCookie.Fastclick : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@ivwbox[1].txt -> TrackingCookie.Ivwbox : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@komtrack[2].txt -> TrackingCookie.Komtrack : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@my.adocean[2].txt -> TrackingCookie.Adocean : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@oewabox[1].txt -> TrackingCookie.Oewabox : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@qksrv[2].txt -> TrackingCookie.Qksrv : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@starware[2].txt -> TrackingCookie.Starware : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@statcounter[1].txt -> TrackingCookie.Statcounter : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@tacoda[2].txt -> TrackingCookie.Tacoda : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@targad[1].txt -> TrackingCookie.Targad : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@webstat[1].txt -> TrackingCookie.Web-stat : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@yadro[1].txt -> TrackingCookie.Yadro : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Cookies\luis teuffer@zedo[1].txt -> TrackingCookie.Zedo : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\Luis\LIMEWIRE\apocalyptica bittersweet midi.zip/1.wma -> Downloader.Wimad.d : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\Luis\Mago de Oz\Metallica\1.wma -> Downloader.Wimad.d : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/e2202cfmgf2a2.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/en46l1hs1.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/en64l1jq1.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/enjul1191.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/enp2l17o1.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/enpql1751.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/h44m0eh1eh4.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/i4lo0e33eh.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/ir22l5fo1.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/irp0l57m1.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/k4440ehqeh4e0.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/kxdusr.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/l66olgj316o.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/m682lglo16qc.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/o0ns0a57ed.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/p2n8lc5u1f.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/p68qlgl516q.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/q0nu0a59ed.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/q6rqlg9516.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/r6r6lg9s16.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\backup.zip/dlls/xqsp2res.dll -> Adware.Look2Me : Error durante limpieza
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\e2202cfmgf2a2.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\en46l1hs1.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\en64l1jq1.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\enjul1191.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\enp2l17o1.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\enpql1751.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\h44m0eh1eh4.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\i4lo0e33eh.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\ir22l5fo1.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\irp0l57m1.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\k4440ehqeh4e0.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\kxdusr.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\l66olgj316o.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\m682lglo16qc.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\o0ns0a57ed.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\p2n8lc5u1f.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\p68qlgl516q.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\q0nu0a59ed.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\q6rqlg9516.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\r6r6lg9s16.dll -> Adware.Look2Me : Limpio con backup
C:\Documents and Settings\Luis Teuffer\Mis documentos\mOlkO\Nueva carpeta\l2mfix\dlls\xqsp2res.dll -> Adware.Look2Me : Limpio con backup
C:\gimmygames10.exe -> Trojan.VB.ajj : Limpio con backup
C:\gimmygames10a.exe -> Downloader.VB.xl : Limpio con backup
C:\gimmygames11.exe -> Downloader.Adload.u : Limpio con backup
C:\gimmygames12.exe -> Downloader.Adload.v : Limpio con backup
C:\gimmygames9.exe -> Downloader.VB.ww : Limpio con backup
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Limpio con backup
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Limpio con backup
C:\WINDOWS\DH.dll -> Hijacker.Small.jf : Limpio con backup
C:\WINDOWS\gimmygames10.exe -> Trojan.VB.ajj : Limpio con backup
C:\WINDOWS\gimmygames10a.exe -> Downloader.VB.xl : Limpio con backup
C:\WINDOWS\gimmygames11.exe -> Downloader.Adload.u : Limpio con backup
C:\WINDOWS\gimmygames9.exe -> Downloader.VB.ww : Limpio con backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Limpio con backup
C:\WINDOWS\system32\im.exe -> Not-A-Virus.PSWTool.Win32.Messen.103 : Limpio con backup
C:\WINDOWS\system32\ps.exe -> Dropper.Agent.mf : Limpio con backup
C:\WINDOWS\system32\pwha.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Limpio con backup
C:\winsysupd12.exe -> Hijacker.StartPage.aib : Limpio con backup


::Fin Report

#12 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 02 March 2006 - 01:49 PM

Before I can proceed, I require ALL of these other logs

* HiJackThis log
* Online Scan

#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 10 March 2006 - 09:21 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users