Computer Hope

Software => Computer viruses and spyware => Topic started by: alyoob on February 03, 2008, 09:09:19 PM

Title: Analyse hijack log and combofix
Post by: alyoob on February 03, 2008, 09:09:19 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:48 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner.YOUR-03667082DE\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops....gi3.0.84.2.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7165 bytes

[file cleanup - saving space - attachment deleted by admin]

Title: Re: Analyse hijack log and combofix
Post by: evilfantasy on February 04, 2008, 09:40:36 AM

Now download  The Avenger By Swandog46 (http://"http://swandog46.geekstogo.com/avenger.zip"), and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the Input script manually box.
  
• Click on the Magnifying Glass Icon which will open a new window titled View/edit script
  
• Copy everything in the Quote box below, and paste it in the box that opens:

Drivers to unload:

Code: [Select]

Files to delete:
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\wmilibb.sys
Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the 'Done' button.
  
• Click on the Green Light and OK the prompt.
  
• You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
  
• A log file from Avenger will be produced at C:\avenger.txt

The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger's actions.

• This log file will be located at C:\avenger.txt

• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

• Please attach the C:\avenger.txt in your next post.

----------

Next post please add
Avenger log

Title: Avenger log
Post by: alyoob on February 04, 2008, 09:00:58 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vjqdoblh

*******************

Script file located at: \??\C:\hxjndmfj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\wmilibb.sys not found!
Unload of driver wmilibb.sys failed!

Could not process line:
wmilibb.sys
Status: 0xc0000034

Folder C:\Temp\tn3 deleted successfully.
File C:\WINDOWS\system32\drivers\core.cache.dsk deleted successfully.
File C:\WINDOWS\system32\drivers\wmilibb.sys deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Title: Re: Analyse hijack log and combofix
Post by: evilfantasy on February 05, 2008, 08:08:31 AM

Download and install CleanUp! (http://cleanup.stevengould.org/)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Make sure the arrow is set to Standard CleanUp!
  
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

----------

Use the  Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

• Click Accept.
  
• Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
  
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
  • 
    
    • Extended[/COLOR]
    • Scan Options:
    • 
      
      • Scan Archives[/COLOR]
        
        • Scan Mail Bases[/COLOR]
      • Click OK & have it scan My Computer
      When the scan is done, in the Scan is complete window (below), any infection is displayed.
      There is no option to clean/disinfect, however, we need to analyze the information on the report.
      
      (http://i154.photobucket.com/albums/s258/evilfantasy69/kscancomplete.jpg)
      
      To obtain the report:
      Click on: Save Report As... (shown above)
      Next, in the Save as prompt, Save in area, select: Desktop.
      In the File name area, use KScan, or something similar.
      In Save as type: click the drop arrow and select: Text file [*.txt]
      Then, click: Save
      Please add the Kaspersky Online Scanner Report in your next post.
      
      ---------------
      
      Next post
      Kscan log

Title: Windows cleanup
Post by: alyoob on February 05, 2008, 09:38:44 AM

I ran the demo mode of windows cleanup and it found these files to delete do you think i should delete them or is there any files that should not be deleted. I believe there are files that should not be deleted.



[file cleanup - saving space - attachment deleted by admin]

Title: Re: Analyse hijack log and combofix
Post by: evilfantasy on February 05, 2008, 10:06:51 AM

Thats what I was wanting to be deleted.

Just waiting for the Kaspersky log now.

Title: Kaspersy online scanner
Post by: alyoob on February 05, 2008, 12:47:44 PM

scanner results attached

[file cleanup - saving space - attachment deleted by admin]

Title: Re: Analyse hijack log and combofix
Post by: evilfantasy on February 05, 2008, 01:28:38 PM

You are using a unlicensed version of AVG.

Uninstall it!!!!

Then go here http://free.grisoft.com/doc/downloads?prd=aff to download and install the free version.

Run a full system scan and remove anything found.

Then run the CleanUp! program and then run a new Kaspersky scan and post the log please.

Title: Re: Analyse hijack log and combofix
Post by: alyoob on February 07, 2008, 05:05:06 PM

I scanned with avg free and it did not find anything rescanned with kaspery and it found the same thing that it had found any suggestions on what to do next. Here is the kaspersy log anyways

[file cleanup - saving space - attachment deleted by admin]

Title: Re: Analyse hijack log and combofix
Post by: evilfantasy on February 07, 2008, 06:08:17 PM

• Run avenger.exe by double-clicking on it.
• Check the Input script manually box.
  
• Click on the Magnifying Glass Icon which will open a new window titled View/edit script
  
• Copy everything in the Quote box below, and paste it in the box that opens:

Drivers to unload:

Code: [Select]

Folders to delete:
C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar

Files to delete:
C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe
C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab
C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe
C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe
C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab
C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe
C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the 'Done' button.
  
• Click on the Green Light and OK the prompt.
  
• You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
  
• A log file from Avenger will be produced at C:\avenger.txt

The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger's actions.

• This log file will be located at C:\avenger.txt

• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

• Please attach the C:\avenger.txt in your next post.

----------

Next post please add
Avenger log

Title: Avenger log
Post by: alyoob on February 07, 2008, 08:07:04 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kqnyg^xs

*******************

Script file located at: \??\C:\Program Files\gcexdcpa.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Error: C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar is not a folder!  It may instead be a file.
Deletion of folder C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar failed!

Could not process line:
C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar
Status: 0xc0000103



Could not open file C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe for deletion
Deletion of file C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe failed!

Could not process line:
C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe
Status: 0xc0000033



Could not open file C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab for deletion
Deletion of file C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab failed!

Could not process line:
C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab
Status: 0xc0000033



Could not open file C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe for deletion
Deletion of file C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe failed!

Could not process line:
C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe
Status: 0xc0000033



Could not open file C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe for deletion
Deletion of file C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe failed!

Could not process line:
C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe
Status: 0xc0000033



Could not open file C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab for deletion
Deletion of file C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab failed!

Could not process line:
C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab
Status: 0xc0000033



Could not open file C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe for deletion
Deletion of file C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe failed!

Could not process line:
C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe
Status: 0xc0000033

File C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Title: Re: Analyse hijack log and combofix
Post by: evilfantasy on February 07, 2008, 08:26:07 PM

You are going to have to boot to safe mode and then delete the files manually.

First download ATF Cleaner by Atribune.  ATF Cleaner.exe (http://www.atribune.org/ccount/click.php?id=1) to the desktop. <<--Don't use it yet.

You may want to copy the rest of the instructions into Notepad and save it to the desktop so you will be able to view them in safe mode.

Boot into Safe Mode.

Starting your computer in safe mode

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  
• Ensure that the Safe Mode option is selected.
  
• Press Enter. The computer then begins to start in Safe mode.
  
• Login on your usual account.

.
Locate and delete these folders/files. (in bold)

C:\Downloads\AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar

C:\Downloads\rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe

While in Safe Mode run ATF Cleaner.

Make sure that all browser windows are closed.

• Under the Main tab, put a check next to Select All.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Firefox browser:
  Click on Firefox at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Opera browser:
  Click on Opera at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

.

Let me know how everything went.

Title: Re: Analyse hijack log and combofix
Post by: alyoob on February 07, 2008, 09:23:18 PM

Everthing went fine but i could not locate this file to delete

rebuilt.AVG Anti-Virus Professional Edition Latest v7.5.516 + Key.rar/keygen.exe/data0000.cab/update.exe

Title: Re: Analyse hijack log and combofix
Post by: evilfantasy on February 08, 2008, 12:12:13 AM

Thats Ok I am sure that The Avenger got it. Just wanted to be sure.

How is the computer now?

Title: Re: Analyse hijack log and combofix
Post by: alyoob on February 08, 2008, 10:48:55 AM

everything is fine i will repost if kasepersy finds anything when i scan the computer once again.

Title: Re: Analyse hijack log and combofix
Post by: evilfantasy on February 08, 2008, 11:00:48 AM

I will go ahead and post this.


Time to cleanup and secure the work you have done

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

(http://i154.photobucket.com/albums/s258/evilfantasy69/combofixu-1.jpg)

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Next
.
Download OTMoveIt2 by OldTimer  OTMoveIt2.exe (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

.
Learn more about how to protect yourself while on the internet read this article by Tony Klien:  So how did I get infected in the first place? (http://"http://www.castlecops.com/postlite7736-.html")