Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Info Stealer, I Dont Know What Files To Delete


  • This topic is locked This topic is locked
9 replies to this topic

#1 mamavirus

mamavirus

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 27 April 2007 - 08:14 PM

i have had this info stealer since last week . driving me nuts. i have read similar post and hv followed the directions but i do not know what needs to be deleted. i have already downloaded combofix and ran the program. But i do not know what i need to delete or fix with hijack this before running the avenger.
This is my log combofix.txt log



ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\mama\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\oppnn.dll
C:\WINDOWS\system32\nnppo.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\U29ubmllc2lt\command.exe
C:\WINDOWS\U29ubmllc2lt\asappsrv.dll
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\b122.exe
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\Program Files\webhancer
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\mama
C:\qoobox\purity\C\DOCUME~1\mama\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\mama\MYDOCU~1\DOBE~1
C:\qoobox\purity\C\Program Files\SCURIT~1
C:\qoobox\purity\C\WINDOWS\YSTEM~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))


2007-04-26 10:16 <DIR> d-------- C:\DOCUME~1\mama\APPLIC~1\Help
2007-04-25 12:40 60,928 --a------ C:\WINDOWS\system32\ziia.dll
2007-04-25 12:40 2 --a------ C:\WINDOWS\system32\winticomsv.exe
2007-04-25 12:40 <DIR> d-------- C:\Program Files\s?curity
2007-04-25 08:33 <DIR> d-------- C:\WINDOWS\uzfk
2007-04-25 08:33 <DIR> d-------- C:\Program Files\Common Files\uzfk
2007-04-25 08:18 <DIR> d--hs---- C:\WINDOWS\U29ubmllc2lt
2007-04-23 10:02 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-23 04:52 <DIR> d-------- C:\VundoFix Backups
2007-04-22 21:43 <DIR> d-------- C:\WINDOWS\pss
2007-04-22 18:41 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-22 18:41 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-04-22 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-22 15:45 <DIR> d-------- C:\DOCUME~1\mama\APPLIC~1\SpywareBot
2007-04-22 15:16 <DIR> d-------- C:\Program Files\SymNetDrv
2007-04-22 14:58 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-22 14:58 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2007-04-22 14:58 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-22 14:57 <DIR> d-------- C:\Program Files\Symantec
2007-04-22 14:57 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-04-22 14:57 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-22 14:57 <DIR> d-------- C:\DOCUME~1\mama\APPLIC~1\Symantec
2007-04-22 14:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-04-22 14:56 49,204 --a------ C:\WINDOWS\system32\iacmrfrn.dll
2007-04-22 14:15 <DIR> d-------- C:\WINDOWS\system32\quicktime
2007-04-22 14:15 <DIR> d-------- C:\Program Files\DivX
2007-04-22 13:54 <DIR> d-------- C:\DOCUME~1\mama\APPLIC~1\vlc
2007-04-22 13:50 <DIR> d-------- C:\Program Files\VideoLAN
2007-04-22 13:02 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-22 12:55 73,728 -ra------ C:\WINDOWS\system32\CNMCP53.exe
2007-04-22 12:55 5,632 --a------ C:\WINDOWS\system32\CNMVS53.DLL
2007-04-22 12:55 100,352 --a------ C:\WINDOWS\system32\CNMLM53.DLL
2007-04-22 12:55 <DIR> d--h----- C:\BJPrinter
2007-04-22 12:22 36,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-04-22 12:22 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-04-22 12:22 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-22 12:22 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-04-22 12:22 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-04-22 12:20 <DIR> d-------- C:\Program Files\Winamp
2007-04-22 12:08 <DIR> d--hs---- C:\RECYCLER
2007-04-22 12:04 <DIR> d---s---- C:\DOCUME~1\mama\UserData


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-22 16:21 -------- d-------- C:\DOCUME~1\mama\APPLIC~1\trevoli
2007-03-20 19:39 -------- d-------- C:\Program Files\microsoft activesync
2007-03-20 19:36 -------- d-------- C:\Program Files\Common Files\l&h
2007-03-11 23:29 -------- d-------- C:\Program Files\photo finale
2007-03-11 23:22 -------- d-------- C:\Program Files\Common Files\nero
2007-03-11 23:12 -------- d-------- C:\Program Files\messenger
2007-03-11 22:42 -------- d--h----- C:\Program Files\windowsupdate
2007-03-11 22:38 -------- d-------- C:\Program Files\microsoft frontpage
2007-03-11 22:37 0 -rahs---- C:\MSDOS.SYS
2007-03-11 22:37 0 -rahs---- C:\IO.SYS
2007-03-11 22:37 0 --a------ C:\CONFIG.SYS
2007-03-11 22:37 0 --a------ C:\AUTOEXEC.BAT
2007-03-11 22:35 -------- d-------- C:\Program Files\online services
2007-03-11 22:34 -------- d-------- C:\Program Files\movie maker
2007-03-11 22:34 -------- d-------- C:\Program Files\Common Files\mssoap
2007-03-11 22:33 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-11 22:32 -------- d-------- C:\Program Files\windows nt
2007-03-11 22:32 -------- d-------- C:\Program Files\msn gaming zone
2007-03-11 14:17 -------- d-------- C:\Program Files\Common Files\speechengines
2007-03-11 14:17 -------- d-------- C:\Program Files\Common Files\odbc
2007-03-11 14:16 62 --ahs---- C:\DOCUME~1\mama\APPLIC~1\desktop.ini
2007-02-19 04:01 252356 --a------ C:\WINDOWS\b128.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{1557B435-8242-4686-9AA3-9265BF7525A4}"="C:\WINDOWS\System32\iacmrfrn.dll"
"{1995AF3B-39D3-3B55-A33D-6AE33D94FCE8}"="C:\WINDOWS\System32\ziia.dll"
"{BDF3E430-B101-42AD-A544-FADC6B084872}"="C:\Program Files\Norton AntiVirus\NavShExt.dll"
"{FDD62CBB-33CC-409C-B259-002D684808C9}"="C:\WINDOWS\System32\efcyx.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"uzfk"="C:\\PROGRA~1\\COMMON~1\\uzfk\\uzfkm.exe"
"Ouuu"="\"C:\\DOCUME~1\\mama\\MYDOCU~1\\DOBE~2\\fast.exe\" -vt yazb"
"Qddg"="\"C:\\Program Files\\s?curity\\l?ass.exe\""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpywareBot"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 18:39:49
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-27 18:39:51
C:\ComboFix-quarantined-files.txt ... 07-04-27 18:39

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:34 PM

Posted 28 April 2007 - 09:02 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
First let me strongly advise against doing anything with Avenger without expert assistance. It's a very powerful program and you could easily destroy your operating system if you're not careful.


Please download Deckard's System Scanner (DSS)

1. Download Deckard's System Scanner (DSS) to your Desktop (or other convenient location).
2. Close any open applications and windows.
3. Double-click on dss.exe to run it, and follow the prompts.
4. When the scan is complete, a text file will open - main.txt
5. Copy the text from that log and paste it into your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet. Please allow it permission to do so.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 mamavirus

mamavirus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 28 April 2007 - 06:31 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
First let me strongly advise against doing anything with Avenger without expert assistance. It's a very powerful program and you could easily destroy your operating system if you're not careful.


Please download Deckard's System Scanner (DSS)

1. Download Deckard's System Scanner (DSS) to your Desktop (or other convenient location).
2. Close any open applications and windows.
3. Double-click on dss.exe to run it, and follow the prompts.
4. When the scan is complete, a text file will open - main.txt
5. Copy the text from that log and paste it into your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet. Please allow it permission to do so.


Thanks, i included a combofix.txt initially but i have run the DSS and the fill is included below.


Deckard's System Scanner v20070426.43
Run by mama on 2007-04-28 at 18:50:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2007-04-29 01:50:39 UTC - RP12 - Deckard's System Scanner Restore Point
11: 2007-04-26 19:01:43 UTC - RP11 - System Checkpoint
10: 2007-04-23 11:34:24 UTC - RP10 - Restore Operation
9: 2007-04-23 05:24:14 UTC - RP9 - Restore Operation
8: 2007-04-22 21:57:08 UTC - RP8 - Installed Norton AntiVirus 2002


-- First Restore Point --
1: 2007-03-12 06:12:57 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as mama.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:52:22 PM, on 4/28/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe
C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe
C:\Program Files\s?curity\l?ass.exe
C:\PROGRA~1\COMMON~1\uzfk\uzfka.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mama\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\mama.exe

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\iacmrfrn.dll
O2 - BHO: (no name) - {1995AF3B-39D3-3B55-A33D-6AE33D94FCE8} - C:\WINDOWS\System32\ziia.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD62CBB-33CC-409C-B259-002D684808C9} - C:\WINDOWS\System32\efcyx.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [uzfk] C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe
O4 - HKCU\..\Run: [Ouuu] "C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Qddg] "C:\Program Files\s?curity\l?ass.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\mama\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser %1,%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-04-28 18:46:19 410 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-04-23 03:00:00 486 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
2007-04-22 15:01:24 462 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job


-- Files created between 2007-03-28 and 2007-04-28 -----------------------------

2007-04-26 10:16:52 0 d-------- C:\Documents and Settings\mama\Application Data\Help
2007-04-25 12:40:12 2 --a------ C:\WINDOWS\System32\winticomsv.exe
2007-04-25 12:40:09 0 d-------- C:\Program Files\s?curity
2007-04-25 12:40:07 60928 --a------ C:\WINDOWS\System32\ziia.dll
2007-04-25 08:33:57 0 d-------- C:\WINDOWS\uzfk
2007-04-25 08:33:57 0 d-------- C:\Program Files\Common Files\uzfk
2007-04-25 08:18:46 0 d--hs---- C:\WINDOWS\U29ubmllc2lt
2007-04-23 10:02:50 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-23 10:02:44 0 d-------- C:\Documents and Settings\mama\Application Data\Mozilla
2007-04-23 04:52:40 0 d-------- C:\VundoFix Backups
2007-04-22 21:43:48 0 d-------- C:\WINDOWS\pss
2007-04-22 18:41:50 765952 --a------ C:\WINDOWS\System32\xvidcore.dll
2007-04-22 18:41:50 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-04-22 16:04:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-22 15:45:43 0 d-------- C:\Documents and Settings\mama\Application Data\SpywareBot
2007-04-22 15:16:03 0 d-------- C:\Program Files\SymNetDrv
2007-04-22 14:59:08 0 d---s---- C:\WINDOWS\System32\Microsoft
2007-04-22 14:58:16 4032 --a------ C:\WINDOWS\System32\SYMEVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2007-04-22 14:58:16 36864 --a------ C:\WINDOWS\System32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2007-04-22 14:58:16 57696 --a------ C:\WINDOWS\System32\drivers\SYMEVENT.SYS <Not Verified; Symantec Corporation; SYMEVENT>
2007-04-22 14:57:52 0 d-------- C:\Documents and Settings\mama\Application Data\Symantec
2007-04-22 14:57:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-04-22 14:57:27 0 d-------- C:\Program Files\Symantec
2007-04-22 14:57:13 0 d-------- C:\Program Files\Norton AntiVirus
2007-04-22 14:57:13 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-22 14:56:32 49204 --a------ C:\WINDOWS\System32\iacmrfrn.dll
2007-04-22 14:15:25 0 d-------- C:\WINDOWS\System32\quicktime
2007-04-22 14:15:24 0 d-------- C:\Program Files\DivX
2007-04-22 13:54:29 0 d-------- C:\Documents and Settings\mama\Application Data\vlc
2007-04-22 13:50:27 0 d-------- C:\Program Files\VideoLAN
2007-04-22 12:55:12 73728 -ra------ C:\WINDOWS\System32\CNMCP53.exe <Not Verified; CANON INC.; Canon BJ Raster Printer Driver Installer>
2007-04-22 12:55:09 0 d--h----- C:\BJPrinter
2007-04-22 12:20:21 0 d-------- C:\Program Files\Winamp
2007-04-22 12:14:30 0 d-------- C:\Documents and Settings\mama\Application Data\Macromedia
2007-04-22 12:04:29 0 d---s---- C:\Documents and Settings\mama\UserData


-- Find3M Report ---------------------------------------------------------------

2007-04-22 16:21:06 0 d-------- C:\Documents and Settings\mama\Application Data\Trevoli
2007-03-20 19:39:21 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-03-20 19:36:36 0 d-------- C:\Program Files\Common Files\L&H
2007-03-11 23:29:30 0 d-------- C:\Program Files\Photo Finale
2007-03-11 23:23:47 0 d-------- C:\Program Files\Ahead
2007-03-11 23:22:16 0 d-------- C:\Program Files\Common Files\Nero
2007-03-11 23:19:42 0 d-------- C:\Program Files\Common Files\Ahead
2007-03-11 23:12:40 0 d-------- C:\Program Files\Messenger
2007-03-11 23:12:40 0 d-------- C:\Documents and Settings\mama\Application Data\Identities
2007-03-11 22:42:22 0 d--h----- C:\Program Files\WindowsUpdate
2007-03-11 22:38:11 0 d-------- C:\Program Files\microsoft frontpage
2007-03-11 22:37:24 0 -rahs---- C:\MSDOS.SYS
2007-03-11 22:37:24 0 -rahs---- C:\IO.SYS
2007-03-11 22:37:24 0 --a------ C:\CONFIG.SYS
2007-03-11 22:37:24 0 --a------ C:\AUTOEXEC.BAT
2007-03-11 22:35:33 0 d-------- C:\Program Files\Online Services
2007-03-11 22:34:59 0 d-------- C:\Program Files\Movie Maker
2007-03-11 22:34:15 0 d-------- C:\Program Files\Common Files\MSSoap
2007-03-11 22:33:27 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat
2007-03-11 22:32:39 0 d-------- C:\Program Files\Windows NT
2007-03-11 22:32:39 0 d-------- C:\Program Files\MSN Gaming Zone
2007-03-11 14:17:06 0 d-------- C:\Program Files\Common Files\ODBC
2007-03-11 14:17:03 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-03-11 14:16:35 62 --ahs---- C:\Documents and Settings\mama\Application Data\desktop.ini
2007-02-19 04:01:20 252356 --a------ C:\WINDOWS\b128.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\System32\iacmrfrn.dll
{1995AF3B-39D3-3B55-A33D-6AE33D94FCE8} C:\WINDOWS\System32\ziia.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll
{FDD62CBB-33CC-409C-B259-002D684808C9} C:\WINDOWS\System32\efcyx.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"uzfk"="C:\\PROGRA~1\\COMMON~1\\uzfk\\uzfkm.exe"
"Ouuu"="\"C:\\DOCUME~1\\mama\\MYDOCU~1\\DOBE~2\\fast.exe\" -vt yazb"
"Qddg"="\"C:\\Program Files\\s?curity\\l?ass.exe\""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpywareBot"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-28 at 18:53:03 ---------

Attached Files

  • Attached File  main.txt   11.52KB   4 downloads


#4 mamavirus

mamavirus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 28 April 2007 - 08:04 PM

pls i need hhhhhhhhhheeeeeeeeeeeelllllllllppppppppppppppp

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:34 PM

Posted 28 April 2007 - 08:52 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\iacmrfrn.dll
O2 - BHO: (no name) - {1995AF3B-39D3-3B55-A33D-6AE33D94FCE8} - C:\WINDOWS\System32\ziia.dll
O2 - BHO: (no name) - {FDD62CBB-33CC-409C-B259-002D684808C9} - C:\WINDOWS\System32\efcyx.dll (file missing)
O4 - HKCU\..\Run: [uzfk] C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe
O4 - HKCU\..\Run: [Ouuu] "C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Qddg] "C:\Program Files\s?curity\l?ass.exe"



==============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\System32\iacmrfrn.dll
    C:\WINDOWS\System32\ziia.dll
    C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe
    C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe
    C:\WINDOWS\System32\winticomsv.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============


Please run Combofix once again and post the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 mamavirus

mamavirus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 29 April 2007 - 10:42 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\iacmrfrn.dll
O2 - BHO: (no name) - {1995AF3B-39D3-3B55-A33D-6AE33D94FCE8} - C:\WINDOWS\System32\ziia.dll
O2 - BHO: (no name) - {FDD62CBB-33CC-409C-B259-002D684808C9} - C:\WINDOWS\System32\efcyx.dll (file missing)
O4 - HKCU\..\Run: [uzfk] C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe
O4 - HKCU\..\Run: [Ouuu] "C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Qddg] "C:\Program Files\s?curity\l?ass.exe"



==============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\System32\iacmrfrn.dll
    C:\WINDOWS\System32\ziia.dll
    C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe
    C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe
    C:\WINDOWS\System32\winticomsv.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============


Please run Combofix once again and post the resulting log.


i got confused with the clipboard thing. it did nt work so i pasted several times with cntrl V. but i cud only c one line in the drop down.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:34 PM

Posted 30 April 2007 - 09:04 AM

It's ok to do them one at a time.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 mamavirus

mamavirus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 30 April 2007 - 09:43 AM


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\iacmrfrn.dll
O2 - BHO: (no name) - {1995AF3B-39D3-3B55-A33D-6AE33D94FCE8} - C:\WINDOWS\System32\ziia.dll
O2 - BHO: (no name) - {FDD62CBB-33CC-409C-B259-002D684808C9} - C:\WINDOWS\System32\efcyx.dll (file missing)
O4 - HKCU\..\Run: [uzfk] C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe
O4 - HKCU\..\Run: [Ouuu] "C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Qddg] "C:\Program Files\s?curity\l?ass.exe"



==============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\System32\iacmrfrn.dll
    C:\WINDOWS\System32\ziia.dll
    C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe
    C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe
    C:\WINDOWS\System32\winticomsv.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============


Please run Combofix once again and post the resulting log.


i got confused with the clipboard thing. it did nt work so i pasted several times with cntrl V. but i cud only c one line in the drop down.

so i did it several times changing the first one out. :thumbsup:

this is the log..


Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 6:36 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\iacmrfrn.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 6:52:01 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\System32\iacmrfrn.dll



Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 6:56 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\iacmrfrn.dll


pendingFileRenameOperations Registry Data has been Removed by External Process! @ 7:55:16 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\System32\iacmrfrn.dll


Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 8:16 PM

# 1 [Files to Delete]
Path = C:\WINDOWS\System32\ziia.dll
*This file does not seem to exist


# 2 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll
*This file does not seem to exist


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:27:15 PM
# 3 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll
*This file does not seem to exist


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:28:01 PM
# 4 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll
*This file does not seem to exist


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:29:12 PM
# 5 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll
*This file does not seem to exist


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:30:15 PM
# 6 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll
*This file does not seem to exist


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:30:55 PM
Killbox Closed(Exit) @ 8:31:18 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 8:33 PM

Killbox Closed(Exit) @ 8:37:24 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 8:39 PM

# 1 [Delete on Reboot]
Path = C:\DOCUME~1\mama\MYDOCU~1\DOBE~2\fast.exe


I Rebooted @ 8:40:05 PM
Killbox Closed(Exit) @ 8:40:08 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 8:41 PM

Killbox Closed(Exit) @ 8:44:19 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 8:47 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\winticomsv.exe


I Rebooted @ 8:48:30 PM

Killbox Closed(Exit) @ 8:48:32 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 8:49 PM

# 1 [Delete on Reboot]
Path = C:\PROGRA~1\COMMON~1\uzfk\uzfkm.exe


I Rebooted @ 8:53:05 PM

Killbox Closed(Exit) @ 8:53:07 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as mama(Administrator)
was started @ Sunday, April 29, 2007, 8:57 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:57:40 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:58:13 PM
# 3 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:58:36 PM
# 4 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll



PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:59:05 PM
# 5 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:59:50 PM
# 6 [Delete on Reboot]
Path = C:\WINDOWS\System32\ziia.dll



PendingFileRenameOperations Registry Data has been Removed by External Process! @ 9:00:31 PM
Killbox Closed(Exit) @ 9:01:20 PM

:flowers:

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:34 PM

Posted 30 April 2007 - 12:38 PM

Please run Combofix once again and post the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:34 PM

Posted 11 May 2007 - 09:18 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users