Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My HijackThis Log. Any help is appreciated![CLOSED]

Started by hazak , Apr 08 2008 07:42 PM

  • This topic is locked This topic is locked

#16
hazak
Posted 27 April 2008 - 07:49 AM

hazak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Wow. I THOUGHT I was cured! It says that there are 26 viruses and 76 infected items. Here is the report:






-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 27, 2008 6:48:08 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/04/2008
Kaspersky Anti-Virus database records: 727420
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 16014
Number of viruses found: 26
Number of infected objects: 76
Number of suspicious objects: 5
Duration of the scan process: 00:36:54

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\main.txt Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Anthony\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\Desktop\hijthis.log Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Anthony\Desktop\OTScanIt\MovedFiles\04192008_094956\Documents and Settings\Anthony\cftmon.exe Infected: Worm.Win32.Socks.bn skipped
C:\Documents and Settings\Anthony\Desktop\OTScanIt\MovedFiles\04192008_094956\gjtxc.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Anthony\Desktop\OTScanIt\MovedFiles\04192008_094956\WINDOWS\system32\etfqtjta.drv Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Anthony\Desktop\OTScanIt\MovedFiles\04192008_094956\WINDOWS\system32\jqhedrgrlbc.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Anthony\Desktop\OTScanIt\MovedFiles\04192008_094956\WINDOWS\system32\lpecakkacoh.nls Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Anthony\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Anthony\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Anthony\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Anthony\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\History\History.IE5\MSHist012008042720080428\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Temp\famnitalqfe.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Anthony\Local Settings\Temp\ocgsl.drv Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Anthony\Local Settings\Temp\sqkqdibei.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Anthony\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\cftmon.exe Infected: Worm.Win32.Socks.bn skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Trend Micro\Thisisit\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Trend Micro\Thisisit\Thisfinal.log Suspicious: Exploit.HTML.Mht skipped
C:\QooBox\Quarantine\C\d.exe.vir Infected: Email-Worm.Win32.Locksky.ea skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\PPPATC~1\mshta.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.m skipped
C:\QooBox\Quarantine\C\Program Files\JavaCore\UnInstall.exe.vir Infected: Trojan-Downloader.Win32.Delf.gda skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule13.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.ahs skipped
C:\QooBox\Quarantine\C\WINDOWS\b155.exe.vir Infected: Trojan.Win32.BHO.bfl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ayhqhuvk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cefmxsak.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dfwymlog.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dpkuxiwq.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\shepzptf.dat.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spools.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efcCvUoN.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\esovjjdt.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fpbhyisa.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ftcrjwdk.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\giomrmyg.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ipobkkjl.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lyokjcew.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mgplevjx.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\msram.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.ajw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mxnsisgr.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\otgpyydd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pedllsdi.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ptcilgxp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ryvrweka.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wdjgvilw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir Infected: not-virus:Hoax.Win32.Renos.bjs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wtxwojpt.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xqaveafy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yvgkfqcw.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-02-27_190835.08.zip/iiktduut.dll Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-02-27_190835.08.zip/wvwxx.dll Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-02-27_190835.08.zip ZIP: infected - 2 skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054369.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054369.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054369.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054371.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054371.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054371.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054381.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054382.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054383.drv Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054384.exe Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP42\A0054385.dll Infected: Trojan-Downloader.Win32.Peregar.v skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP43\A0055466.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP43\A0055485.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP45\A0061093.exe Infected: not-virus:Hoax.Win32.Renos.bjs skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP45\A0063159.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP45\A0063160.exe Infected: Trojan-Clicker.Win32.Costrat.fj skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP45\A0063162.exe Infected: Trojan-Downloader.Win32.Small.ujn skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP45\A0063165.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aw skipped
C:\System Volume Information\_restore{77943BE7-4611-4D04-8EFC-A6657B547EB9}\RP45\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\explorer.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ktkaqel.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\sqmisoe.nls Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
  • 0

Advertisements

#17
RatHat
Posted 27 April 2008 - 11:39 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Anthony\Local Settings\Temp\famnitalqfe.dll
C:\Documents and Settings\Anthony\Local Settings\Temp\ocgsl.drv
C:\Documents and Settings\Anthony\Local Settings\Temp\sqkqdibei.dll
C:\Documents and Settings\LocalService\cftmon.exe
C:\WINDOWS\system32\default.htm
C:\WINDOWS\system32\ktkaqel.dll
C:\WINDOWS\system32\sqmisoe.nls
C:\WINDOWS\system32\etfqtjta.drv
C:\WINDOWS\system32\jqhedrgrlbc.dll
C:\WINDOWS\system32\lpecakkacoh.nls
C:\WINDOWS\system32\winpfz33.sys
C:\gjtxc.exe
C:\Documents and Settings\Anthony\cftmon.exe
C:\WINDOWS\uprjiefj
C:\Documents and Settings\All Users\Application Data\qhofkfcd.dll
C:\WINDOWS\system32\LAE1F.tmp
C:\WINDOWS\system32\LE6F9.tmp



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

So post me the OTM.txt and the MBAM Log in your next reply, then we will see if you are now clean.

Regards,
RatHat
  • 0

#18
hazak
Posted 27 April 2008 - 12:34 PM

hazak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
When I try to run Malwarebytes I get a little window that says: Run-time error '7': Out of memory


Here are my OTM results:



DllUnregisterServer procedure not found in C:\Documents and Settings\Anthony\Local Settings\Temp\famnitalqfe.dll
C:\Documents and Settings\Anthony\Local Settings\Temp\famnitalqfe.dll NOT unregistered.
C:\Documents and Settings\Anthony\Local Settings\Temp\famnitalqfe.dll moved successfully.
C:\Documents and Settings\Anthony\Local Settings\Temp\ocgsl.drv moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Anthony\Local Settings\Temp\sqkqdibei.dll
C:\Documents and Settings\Anthony\Local Settings\Temp\sqkqdibei.dll NOT unregistered.
C:\Documents and Settings\Anthony\Local Settings\Temp\sqkqdibei.dll moved successfully.
C:\Documents and Settings\LocalService\cftmon.exe moved successfully.
C:\WINDOWS\system32\default.htm moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ktkaqel.dll
C:\WINDOWS\system32\ktkaqel.dll NOT unregistered.
C:\WINDOWS\system32\ktkaqel.dll moved successfully.
C:\WINDOWS\system32\sqmisoe.nls moved successfully.
File/Folder C:\WINDOWS\system32\etfqtjta.drv not found.
File/Folder C:\WINDOWS\system32\jqhedrgrlbc.dll not found.
File/Folder C:\WINDOWS\system32\lpecakkacoh.nls not found.
File/Folder C:\WINDOWS\system32\winpfz33.sys not found.
File/Folder C:\gjtxc.exe not found.
File/Folder C:\Documents and Settings\Anthony\cftmon.exe not found.
File/Folder C:\WINDOWS\uprjiefj not found.
File/Folder C:\Documents and Settings\All Users\Application Data\qhofkfcd.dll not found.
File/Folder C:\WINDOWS\system32\LAE1F.tmp not found.
File/Folder C:\WINDOWS\system32\LE6F9.tmp not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_112837
  • 0

#19
RatHat
Posted 27 April 2008 - 12:49 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, reboot your computer, then try to run MBAM again. If you still get the error message, run an F-Secure online scan:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient

Regards,
RatHat
  • 0

#20
hazak
Posted 30 April 2008 - 07:27 PM

hazak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I'm on it tonight
  • 0

#21
RatHat
Posted 02 May 2008 - 09:29 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
How did it go?
  • 0

#22
hazak
Posted 07 May 2008 - 11:10 AM

hazak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Have been very busy. i'm doing it now
  • 0

#23
hazak
Posted 07 May 2008 - 11:23 AM

hazak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I ran the F Secure Online scan and nothing was found but now, in the past 3 days, when I go to yahoo mail, an "adult" web-site pops up initially (in another window, typically). I ran combofix again and here is the log.


ComboFix 08-05-01.3 - Anthony 2008-05-07 10:18:15.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.130 [GMT -7:00]
Running from: C:\DOCUME~1\Anthony\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Anthony\LOCALS~1\Temp\aafqdgarkae.sys
C:\DOCUME~1\Anthony\LOCALS~1\Temp\ickomkjsscj.sys
C:\DOCUME~1\Anthony\LOCALS~1\Temp\qgqajqgcmc.sys
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Anthony\Start Menu\Programs\Startup\Deewoo.lnk
C:\WINDOWS\system32\oechcgkkk.drv
C:\WINDOWS\system32\qgqajqgcmc.sys
C:\WINDOWS\system32\simmkfjn.dll
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-04-27 18:56 . 2008-04-27 18:56 <DIR> d-------- C:\fsaua.data
2008-04-27 11:28 . 2008-04-27 11:28 <DIR> d-------- C:\_OTMoveIt
2008-04-21 17:41 . 2008-04-21 17:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-21 17:41 . 2008-04-21 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-21 17:34 . 2008-04-21 17:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 17:34 . 2008-04-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-15 20:14 . 2008-04-14 21:58 1,105,472 --a------ C:\Documents and Settings\moses again.jpg
2008-04-15 20:14 . 2008-04-14 21:52 722,640 --a------ C:\Documents and Settings\jakey is hurt.jpg
2008-04-15 20:14 . 2008-04-14 21:52 525,293 --a------ C:\Documents and Settings\at the burning bush copy.jpg
2008-04-08 18:26 . 2008-04-16 19:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-07 21:51 . 2008-04-20 07:48 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 00:37 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-22 00:37 --------- d-----w C:\Program Files\Ahead
2008-04-17 01:52 --------- d-----w C:\Documents and Settings\Anthony\Application Data\SUPERAntiSpyware.com
2008-04-09 00:22 2,484 ----a-w C:\WINDOWS\system32\tmp.reg
2008-04-07 23:07 --------- d-----w C:\Program Files\Real
2008-04-07 23:06 --------- d-----w C:\Program Files\RogueRemover FREE
2008-04-07 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\wxklifgz
2008-04-07 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\tgpajopg
2008-04-06 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\xilobsjy
2008-04-06 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\dcrwlijg
2008-04-06 21:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\ghczmnwd
2008-04-06 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\knybudcb
2008-04-06 20:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\fkvipwfg
2008-04-06 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\levipovc
2008-04-06 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\wlypotil
2008-04-06 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\tgvabops
2008-04-06 18:47 15,872 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-06 18:40 --------- d-----w C:\Program Files\Common Files\uoif
2008-04-06 18:21 10 ----a-w C:\Program Files\.autoreg
2008-03-29 06:19 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-26 15:50 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-02-24 15:54 6,029,648 ----a-w C:\Program Files\Firefox Setup 2.0.0.12.exe
2008-02-23 03:02 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-23 03:02 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

------- Sigcheck -------

2008-04-06 11:47 15872 7dd246dc611e3cb9dd4610158cf55628 C:\WINDOWS\system32\svchost.exe

2002-08-28 20:41 520704 8811476cae5bb640d46d3cb9f03307c1 C:\WINDOWS\system32\winlogon.exe

2002-08-28 20:41 1007104 12769b8ecf9a77eaba22f1c80c0462d2 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 17:36 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-22 20:02 185896]
"AntiVirusPro"="C:\Program Files\AntiVirusPro\AntiVirusPro.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"srdnhgpt"= rundll32.exe "C:\WINDOWS\System32\oechcgkkk.drv" WLEntryPoint

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;C:\WINDOWS\System32\drivers\cwbmidi.sys [2001-08-17 05:19]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\System32\drivers\cwbwdm.sys [2001-08-17 05:19]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys [2001-08-17 06:47]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 10:19:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 10:20:43
ComboFix-quarantined-files.txt 2008-05-07 17:20:40
ComboFix2.txt 2008-04-17 01:57:49
ComboFix3.txt 2008-04-07 01:13:59
ComboFix4.txt 2008-04-06 21:52:39
ComboFix5.txt 2008-02-28 03:09:49

Pre-Run: 156,295,569,408 bytes free
Post-Run: 156,365,496,320 bytes free

103







What should I do from here?
  • 0

#24
RatHat
Posted 07 May 2008 - 09:30 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Well you are still infected, so I would like you to upload a couple of files for analysis:

Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\svchost.exe
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as svchost.txt
  • Please post the contents in your next reply.

Now I need you to do the same thing for each of the following files, saving the results of each by their filename:

C:\Program Files\.autoreg
C:\WINDOWS\System32\oechcgkkk.drv

Post the contents of each scan back here, and please make sure you identify the name of each file scanned with its results.

Regards,
RatHat
  • 0

#25
RatHat
Posted 11 May 2008 - 04:46 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Do you still require assistance with this log?

Regards,
RatHat
  • 0

Advertisements

#26
RatHat
Posted 13 May 2008 - 11:19 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact myself or another staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP