Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

RootKit Infection

Started by Youdamnskippy , Nov 25 2005 01:14 AM

  • Please log in to reply

#16
Youdamnskippy
Posted 28 November 2005 - 01:59 PM

Youdamnskippy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.2

; Results at 11/28/2005 12:55:01 PM for strings:
; 'adchannel'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m]
"ServerAddress"="adchannel.contextplus.net"

[HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m]
"LegalNote"="http://adchannel.con...onbranded.html"

[HKEY_USERS\S-1-5-21-1497286466-2552189465-2221179514-1006\Software\CqigEA3FJg6m\Cookies\Data\net\contextplus\adchannel.contextplus.net/services]

[HKEY_USERS\S-1-5-21-1497286466-2552189465-2221179514-1006\Software\CqigEA3FJg6m\Cookies\Data\net\contextplus\adchannel.contextplus.net/services]
"freq_caps4"="MSCF;freq_caps4;V7yHQ1e8h0OOqYNDhbyHQwgAAACsGgAAAAAAAAEAAABXvIdDhB0AAAAAAAABAAAAIFmHQ0ceAAAAAAAAAQAAAL+GfkMHHwAAAQAAAAAAAABvHwAAAAAAAAEAAABBVIdDvB8AAAEAAAAAAAAAFiAAAAEAAAAAAAAALyAAAAAAAAABAAAA20qHQ7S/r90|||||;3360567424;30484056;adchannel.contextplus.net;/services;0;{NULL};"

; End Of The Log...
  • 0

Advertisements

#17
Swandog46
Posted 28 November 2005 - 06:29 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
OK. You're infected, and we'll do this the hard way. :tazz:

Please reboot back into Safe Mode, and go to Start -> Run -> regedit and press Enter. Navigate in the left-hand panel to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m

Right-click on the key CqigEA3FJg6m and choose Export. Choose "Save as Type" to be "Text files" and save it to the desktop as export.txt or something. Reboot back into normal mode and post the contents of this text file for me. Once I have that information we can kill this thing. :)
  • 0

#18
Youdamnskippy
Posted 28 November 2005 - 07:51 PM

Youdamnskippy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m
Class Name: <NO CLASS>
Last Write Time: 11/19/2005 - 5:37 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: QUCVPLRYZZYZZaZ\p:FNLYZZYobZ4uzp 40ZQWQRCKfeZBPGTCPQZS8EJQL8NaQWQ

Value 1
Name: Device
Type: REG_SZ
Data: \\.\PDRhpn

Value 2
Name: DriverPath
Type: REG_SZ
Data: C:\WINDOWS\system32\drivers\uaglsnap.sys

Value 3
Name: DriverName
Type: REG_SZ
Data: swexrnt

Value 4
Name: HideUninstallerName
Type: REG_SZ
Data: C:\Program Files\Arcenger\dxdctsrv.exe

Value 5
Name: UninstallerPath
Type: REG_SZ
Data: C:\WINDOWS\system32\adpfil32.exe

Value 6
Name: UninstallerRegKey
Type: REG_SZ
Data: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2A73A8D1-0A53-4CD3-AC11-6DF62413AE24}

Value 7
Name: UninstallerParams
Type: REG_SZ
Data: /CTUN

Value 8
Name: HDll
Type: REG_SZ
Data: C:\WINDOWS\system32\ilschost.dll

Value 9
Name: ServerAddress
Type: REG_SZ
Data: adchannel.contextplus.net

Value 10
Name: LegalNote
Type: REG_SZ
Data: http://adchannel.con...nonbranded.html

Value 11
Name: PartnerId
Type: REG_SZ
Data: CP.IST2

Value 12
Name: InstallationId
Type: REG_SZ
Data: {X51ae14a-29e1-4e9e-4c8f-051522cccafe}

Value 13
Name: PageFiltering
Type: REG_DWORD
Data: 0x1

Value 14
Name: ClientName
Type: REG_SZ
Data: C:\Program Files\Arcenger\oletscax.exe

Value 15
Name: AutoUpdater
Type: REG_SZ
Data: C:\WINDOWS\system32\rentscax.exe

Value 16
Name: Version
Type: REG_SZ
Data: 2.0.128

Value 17
Name: CrMnTmt
Type: REG_DWORD
Data: 0x36ee80


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m\AU2
Class Name: <NO CLASS>
Last Write Time: 11/26/2005 - 12:26 PM
Value 0
Name: AP
Type: REG_SZ
Data: /DVNM="\\.\PDRhpn" /INSC="AU"

Value 1
Name: SU
Type: REG_SZ
Data: http://au.contextplu...rvices/AUServer

Value 2
Name: NPT
Type: REG_SZ
Data: 2005:11:27-01:26:18:215

Value 3
Name: <NO NAME>
Type: REG_SZ
Data: 2005:11:26-19:26:18:215

Value 4
Name: TO
Type: REG_DWORD
Data: 0x1499700


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m\AU2\RGR
Class Name: <NO CLASS>
Last Write Time: 11/19/2005 - 5:37 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m\AU2\RGR\Messages
Class Name: <NO CLASS>
Last Write Time: 11/26/2005 - 12:28 PM
Value 0
Name: {4B33A3CF-BA02-4DE5-B6C2-3A29C9C2239E}
Type: REG_BINARY
Data:
00000000 43 50 2e 72 6d 5f 32 2e - 30 2e 31 33 31 00 66 3a CP.rm_2.0.131.f:
00000010 20 65 78 65 63 75 74 69 - 6f 6e 20 74 69 6d 65 6f execution timeo
00000020 75 74 28 31 32 30 20 73 - 65 63 29 20 65 6c 61 70 ut(120 sec) elap
00000030 73 65 64 00 32 30 30 35 - 3a 31 31 3a 32 36 2d 31 sed.2005:11:26-1
00000040 39 3a 32 38 3a 33 37 3a - 30 34 33 00 00 9:28:37:043..


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m\AU2\RGR\Properties
Class Name: <NO CLASS>
Last Write Time: 11/19/2005 - 5:37 PM
Value 0
Name: CP.cv
Type: REG_BINARY
Data:
00000000 43 50 2e 63 76 00 32 2e - 30 2e 31 32 38 00 31 36 CP.cv.2.0.128.16
00000010 30 31 3a 30 31 3a 30 31 - 2d 30 30 3a 30 30 3a 30 01:01:01-00:00:0
00000020 30 3a 30 30 30 00 00 0:000..

Value 1
Name: CP.id
Type: REG_BINARY
Data:
00000000 43 50 2e 69 64 00 7b 58 - 35 31 61 65 31 34 61 2d CP.id.{X51ae14a-
00000010 32 39 65 31 2d 34 65 39 - 65 2d 34 63 38 66 2d 30 29e1-4e9e-4c8f-0
00000020 35 31 35 32 32 63 63 63 - 61 66 65 7d 00 31 36 30 51522cccafe}.160
00000030 31 3a 30 31 3a 30 31 2d - 30 30 3a 30 30 3a 30 30 1:01:01-00:00:00
00000040 3a 30 30 30 00 00 :000..

Value 2
Name: CP.pc
Type: REG_BINARY
Data:
00000000 43 50 2e 70 63 00 43 50 - 2e 49 53 54 32 00 31 36 CP.pc.CP.IST2.16
00000010 30 31 3a 30 31 3a 30 31 - 2d 30 30 3a 30 30 3a 30 01:01:01-00:00:0
00000020 30 3a 30 30 30 00 00 0:000..

Value 3
Name: CP.st
Type: REG_BINARY
Data:
00000000 43 50 2e 73 74 00 41 00 - 31 36 30 31 3a 30 31 3a CP.st.A.1601:01:
00000010 30 31 2d 30 30 3a 30 30 - 3a 30 30 3a 30 30 30 00 01-00:00:00:000.
00000020 00 .

Value 4
Name: CP.is
Type: REG_BINARY
Data:
00000000 43 50 2e 69 73 00 41 55 - 00 31 36 30 31 3a 30 31 CP.is.AU.1601:01
00000010 3a 30 31 2d 30 30 3a 30 - 30 3a 30 30 3a 30 30 30 :01-00:00:00:000
00000020 00 00 ..

Value 5
Name: CP.it
Type: REG_BINARY
Data:
00000000 43 50 2e 69 74 00 32 30 - 30 35 31 31 32 30 30 30 CP.it.2005112000
00000010 33 37 34 34 00 31 36 30 - 31 3a 30 31 3a 30 31 2d 3744.1601:01:01-
00000020 30 30 3a 30 30 3a 30 30 - 3a 30 30 30 00 00 00:00:00:000..

Value 6
Name: CP.os
Type: REG_BINARY
Data:
00000000 43 50 2e 6f 73 00 5b 32 - 5d 20 35 2e 31 2e 32 36 CP.os.[2] 5.1.26
00000010 30 30 20 22 53 65 72 76 - 69 63 65 20 50 61 63 6b 00 "Service Pack
00000020 20 32 22 00 31 36 30 31 - 3a 30 31 3a 30 31 2d 30 2".1601:01:01-0
00000030 30 3a 30 30 3a 30 30 3a - 30 30 30 00 00 0:00:00:000..


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m\AU2\TDH
Class Name: <NO CLASS>
Last Write Time: 11/26/2005 - 12:28 PM
  • 0

#19
Swandog46
Posted 28 November 2005 - 08:25 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
OK, here goes.

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swexrnt]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\swexrnt]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\swexrnt]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\swexrnt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
"OptionValue"=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Option]
"OptionValue"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\CqigEA3FJg6m]

[-HKEY_CURRENT_USER\SOFTWARE\CqigEA3FJg6m]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Aprps]

[-HKEY_CURRENT_USER\SOFTWARE\Aprps]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2A73A8D1-0A53-4CD3-AC11-6DF62413AE24}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".

Then please restart your computer into Safe Mode --- do not skip this step or the fix will fail! :tazz:

Once in Safe Mode, please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Then delete the following files:

C:\WINDOWS\system32\adpfil32.exe
C:\WINDOWS\system32\ilschost.dll
C:\WINDOWS\system32\rentscax.exe
C:\WINDOWS\system32\drivers\uaglsnap.sys

Also please delete the folder:

C:\Program Files\Arcenger

Afterwards, rehide hidden files by doing the following:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is NOT selected
5) Make sure "Hide extensions for known file types" is CHECKED
6) Make sure "Hide protected operating system files (recommended)" is CHECKED

Finally, reboot your computer back into normal mode, and please run another registry search for the string adchannel. Then please reboot back into Safe Mode again, and run the registry search for adchannel again. Reboot back into normal mode and post both logs for me please. :)
  • 0

#20
Youdamnskippy
Posted 28 November 2005 - 08:59 PM

Youdamnskippy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Bad news, the 4 files and folder that I'm supposed to delete are nowhere to be found.

Then delete the following files:

C:\WINDOWS\system32\adpfil32.exe
C:\WINDOWS\system32\ilschost.dll
C:\WINDOWS\system32\rentscax.exe
C:\WINDOWS\system32\drivers\uaglsnap.sys

Also please delete the folder:

C:\Program Files\Arcenger
  • 0

#21
Swandog46
Posted 29 November 2005 - 09:22 AM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Reboot your system, make sure you have showing of hidden files enabled, and look again. If you removed the driver correctly by using the REG file I told you, those files should no longer be hidden. Please tell me if you still can't find them.
  • 0

#22
Youdamnskippy
Posted 29 November 2005 - 09:48 PM

Youdamnskippy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I had re-checked everything last night when it didn't work but I went ahead and did it again (as per your suggestion) with no change. The files and folder are still not showing up. Sorry :-(
  • 0

#23
Swandog46
Posted 30 November 2005 - 12:37 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
OK. Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

Please also download and run F-Secure's BlackLight:
http://www.f-secure....light/try.shtml

Scan, and post the log here for me.

I want to make sure everything is in fact gone. :tazz:
  • 0

#24
Youdamnskippy
Posted 30 November 2005 - 02:55 PM

Youdamnskippy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Backlight:
11/30/05 13:42:18 [Info]: BlackLight Engine 1.0.25 initialized
11/30/05 13:42:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/30/05 13:42:18 [Note]: 4019 4
11/30/05 13:42:18 [Note]: 4005 0
11/30/05 13:42:19 [Note]: 4006 0
11/30/05 13:42:19 [Note]: 4011 1588
11/30/05 13:42:20 [Note]: FSRAW library version 1.7.1013
11/30/05 13:42:48 [Note]: 4007 0


The rootreveal file is 5.37 MB so I am unable to post it since the max here is 1024000.
What would you like for me to do?
  • 0

#25
Swandog46
Posted 02 December 2005 - 05:01 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
So sorry for the delay. I have a feeling it is all gone, but just to be safe... can you please email me the log at Swandog46[AT]go[DOT]com? (replace [AT] with @ and [DOT] with .) Thanks :tazz:
  • 0

Advertisements

#26
Swandog46
Posted 03 December 2005 - 01:17 AM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Wow, you weren't kidding --- that log is huge! It includes most of the files on your computer. That's not right....

Can you please do the following:

1) Update your Ewido definitions
2) Reboot back into Safe Mode, and run Registry Searches for each of the following strings (save the logs from each of them):

adchannel

uaglsnap

Arcenger

swexrnt

3) Then please run Ewido and run a Complete System Scan. Save the report from the scan for me.

Reboot back into normal mode and please post all the logs for me. :tazz:
  • 0

#27
Youdamnskippy
Posted 03 December 2005 - 04:28 PM

Youdamnskippy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I ran a registry search with all four strings listed but I'm thinking you probably wanted me to run a separate search for each string. Just let me know if that's the case, otherwise here is what I've got:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:46:33 PM, 12/3/2005
+ Report-Checksum: 3E4AF501

+ Scan result:

:mozilla.10:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.251:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.258:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.259:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.271:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.304:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.305:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.306:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.307:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.313:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.314:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.315:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.365:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.384:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.385:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.386:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.399:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.400:C:\Documents and Settings\Hunter\Application Data\Mozilla\Firefox\Profiles\ouuizrd9.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup


::Report End

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.2

; Results at 12/3/2005 2:58:44 PM for strings:
; 'adchannel'
; 'uaglsnap'
; 'arcenger'
; 'swexrnt'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SWEXRNT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SWEXRNT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SWEXRNT]

[HKEY_USERS\S-1-5-21-1497286466-2552189465-2221179514-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="adchannel"

[HKEY_USERS\S-1-5-21-1497286466-2552189465-2221179514-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"006"="arcenger"

[HKEY_USERS\S-1-5-21-1497286466-2552189465-2221179514-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\PROGRAM FILES\\ARCENGER\\OLETSCAX.EXE"="Internet Explorer"

; End Of The Log...
  • 0

#28
Swandog46
Posted 03 December 2005 - 06:13 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Nope, you did what I wanted, and assuming you ran it in Safe Mode like I asked, it looks all clear.

1) Please download the Killbox.
Unzip it to the desktop and run it.

2) Select "Delete on Reboot".

3) Go to the Options menu and choose Delete on Reboot -> Process All in List. Also choose Remove Directories.

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\adpfil32.exe
C:\WINDOWS\system32\ilschost.dll
C:\WINDOWS\system32\rentscax.exe
C:\WINDOWS\system32\drivers\uaglsnap.sys
C:\Program Files\Arcenger

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Restart your computer. How does it seem to be running? :tazz:

Edited by Swandog46, 03 December 2005 - 06:16 PM.

  • 0

#29
Youdamnskippy
Posted 04 December 2005 - 12:59 AM

Youdamnskippy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Well, the good news is that I can access "My Computer" and I'm not getting bombarded by pop-ups! Thank you very much!!

The bad news is that I still have my initial problem:
I can't get XP defrag to get rid of all the (red) fragmented files.
Here is a partial copy of the latest report:


Volume MINIVM10172 (C:)
Volume size = 37.26 GB
Cluster size = 32 KB
Used space = 9.61 GB
Free space = 27.65 GB
Percent free space = 74 %

Volume fragmentation
Total fragmentation = 20 %
File fragmentation = 40 %
Free space fragmentation = 0 %

File fragmentation
Total files = 44,998
Average file size = 188 KB
Total fragmented files = 1,742
Total excess fragments = 5,425
Average fragments per file = 1.12

Pagefile fragmentation
Pagefile size = 527 MB
Total fragments = 3

Folder fragmentation
Total folders = 3,023
Fragmented folders = 24
Excess folder fragments = 43

--------------------------------------------------------------------------------
  • 0

#30
Swandog46
Posted 04 December 2005 - 11:29 AM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Well, I think you are clean of malware --- so why can't you just run the defragmenter? Do you get an error message, and if so which one?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP