hi_jack_this_log

[solotekk]

hello, can you take a look at this hi jack this log?
In the meantime, I am following evilfantasy's Malware Removal Guide.
Your help is appreciated.

thanks,
Solotekk





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:12 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
c:\program files\lenovo\system update\suservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {326A64FA-D569-EEE9-1A12-8A8DB82287C3} - C:\WINDOWS\system32\rfrbv.dll (file missing)
O2 - BHO: (no name) - {4EDBDE99-610F-0DDC-2971-3CB60B49F29C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\brainiak\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: []  (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: []  (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: []  (User 'Default user')
O4 - Global Startup: Belkin Wireless Client Utility.lnk = C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\AWIE.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\AWIE.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185379492998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185379478327
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55CEAA12-2A7C-440E-A4CA-8C2172AC4282}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{80FD5D26-36C8-42DD-AB4E-F9231C6C3BD3}: NameServer = 65.24.7.3,65.24.7.6
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 8004 bytes

[evilfantasy]

There is something going on there for sure.

We will wait for the rest of the logs to see what all they removed, but there are a few things we can clean up right now.

Open HijackThis and select Do a system scan only then place a check mark next to:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {326A64FA-D569-EEE9-1A12-8A8DB82287C3} - C:\WINDOWS\system32\rfrbv.dll (file missing)
O2 - BHO: (no name) - {4EDBDE99-610F-0DDC-2971-3CB60B49F29C} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\AWIE.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\AWIE.exeO16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80FD5D26-36C8-42DD-AB4E-F9231C6C3BD3}: NameServer = 65.24.7.3,65.24.7.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Close all windows except for HijackThis and click Fix checked

==========

Find and delete the following Files and Folders:

C:\Program Files\HotWhois\AWIE.exe
C:\Program Files\HotWhois\AWIE.exeO16

==========

Post a new HijackThis log after the other two scans are complete.

[solotekk]

here is the superantispyware log.

thx


[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

ESET log?

[solotekk]

sorry.... i'll get that to u asap. thx

[solotekk]

here you go.

thx,
solotekk


[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKUS\S-1-5-20\..\Run: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Close all windows except for HijackThis and click Fix checked


I want to run one more scan just to be sure.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
    
  • Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log

[solotekk]

here you go. thx.



[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Making progress........


Please download Vundofix.exe to your desktop.

• Double-click VundoFix.exe to run it.
  
• Put a check next to Run VundoFix as a task.
  
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  
• When VundoFix re-opens, click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

---------------

Please download Combofix by sUBs from either here or here

Important Save Combofix.exe to your your Desktop.

• Double click combofix.exe & follow the prompts.
• From the keyboard select 1 and press enter.
  
• When finished, it will produce a log for you.
• Attach that log in your next reply.
  

Do not mouseclick combofix's window while it's running. That may cause your computer to stall

---------------

Next post
Vundofix log
combofix log

[solotekk]

what is VundoFix anyways? And why the funky name?
just curios..............

[evilfantasy]

Vundo is a variant of a Trojan Horse.

Vundofix, searches for the vundo infections and fixes any that are found.

[solotekk]

okay......so VundoFix didn't find any issues, therefore I have no log.
But I do have a ComboFix log and another hjt log.

cheers.......
 

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Tough log....... All a of the Lenovo and IBM entries look like malware so it is taking me a while.


For now, do you know this IP? 192.168.0.1

[evilfantasy]

Delete these files/folders, as follows:

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the quotebox below into the Notepad window:

Folder::
C:\WINDOWS\i34yuc387

File::
C:\Documents and Settings\brainiak\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\?ppPatch\?serinit.exe
C:\Program Files\WinPop\winpop.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fkgswssg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umvjiuyd]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]

3. Save this as CFScript on the desktop.
4. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



5. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

[solotekk]

wow... ok. i am aware that 192.168.0.1 is the default gateway/dns protocol address for most cable modems and wireless routers. I am communicating with you on the IBM, and the default gateway address is not 192.168.0.1.

However, a few months ago, my client was in another state and recalls using the 192.168.0.1 as dns, but doesn't remember the ip address.
 
Why do you ask? Is this a problem? I am anxious to learn why you think all the lenovo and ibm software is malware?

interesting..........If you require more info, just let me know, I'll be happy to investigate.

[evilfantasy]

192.168.0.1 is the DLink router setup page. (thanks Broni)


65.24.7.3 and 65.24.7.6 must be your ISP.

I am anxious to learn why you think all the lenovo and ibm software is malware?

No I don't think it is malware, I meant it looks like malware. A lot of the dlls and .sys files have strange almost cryptic names like ar5211.sys or tphklock.dll. Many times when there are a lot of file names like that they will be either malicious files, or left overs from cleaned malware. I hadn't seen most of them before so it took me a while to figure them all out.

[solotekk]

here is the combo log.

how did you end up figuring them out? 

yes, 65.24.7.3 and 65.24.7.6 is the ISP that she is using.




[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Well that didn't work.


Now download The Avenger By Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the Input script manually box.
  
• Click on the Magnifying Glass Icon which will open a new window titled View/edit script
  
• Copy everything in the Quote box below, and paste it in the box that opens:

Folders to delete:
C:\WINDOWS\i34yuc387
Files to delete:
C:\WINDOWS\awcofznA.exe
C:\Documents and Settings\brainiak\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\?ppPatch\?serinit.exe
C:\Program Files\WinPop\winpop.exe
Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awcofznA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fkgswssg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umvjiuyd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch

Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

• Now click the 'Done' button.
  
• Click on the Green Light and OK the prompt.
  
• You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
  
• A log file from Avenger will be produced at C:\avenger.txt
  

The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger's actions.
  
  • This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  
  • Please attach the C:\avenger.txt in your next post.

Next post
avenger log

[solotekk]

cheers.......

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Well this is fun.............. They aren't deleting.


Delete these files/folders, as follows:

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the quotebox below into the Notepad window:

KillAll::

Folder::
C:\WINDOWS\i34yuc387

File::
C:\WINDOWS\awcofznA.exe
C:\Documents and Settings\brainiak\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\?ppPatch\?serinit.exe
C:\Program Files\WinPop\winpop.exe

Registry::
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awcofznA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fkgswssg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umvjiuyd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch

3. Save this as CFScript on the desktop.
4. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



5. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang


Next post
combofix log
New Hiackthis log

[solotekk]

cheers again.................


[file cleanup - saving space - attachment deleted by admin]

[solotekk]

i have a question......can't i just do a start,  run,  regedit and manually find and delete the files? Or is it not that easy??

[evilfantasy]

i have a question......can't i just do a start,  run,  regedit and manually find and delete the files? Or is it not that easy??

That was going to be the next move. I try not to send people into the registry unless necessary. I forget you are a Tech. so we probably should have done this sooner.

You may not find all of them, but they need to be checked anyway.

---------------

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK

---------------

Follow these steps to create a backup of the registry.

• Click the Start button, then click Run. The Run window opens.
• Type REGEDIT, then click OK. The Registry Editor opens.
• Choose Registry, Export Registry File.
• Verify the following entries in the Export Registry File Dialog Box:
• Save in: Desktop
• File Name: Registry Backup
• Export Range: All
• Click Save.
• Exit the Registry Editor.
• Verify you have an icon titled REGISTRY BACKUP.REG on the Desktop.

CAUTION:
Do not double-click the REGISTRY BACKUP.REG file on your Desktop unless you intend to undo your changes. Immediately verify the effect of your changes. When you have verified that the changes to the registry produce the desired result, delete the REGISTRY BACKUP.REG file from the desktop, otherwise restore it immediately.

Do not allow the REGISTRY BACKUP.REG file to remain on the desktop beyond the testing period to avoid inadvertently double-clicking it.

Delete the registry backup after an hour or so of normal computer functions

---------------

Look for these File, Folders and Registry keys.

Folder::
C:\WINDOWS\i34yuc387

File::
C:\WINDOWS\awcofznA.exe
C:\Documents and Settings\brainiak\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\?ppPatch\?serinit.exe
C:\Program Files\WinPop\winpop.exe

Registry::
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awcofznA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fkgswssg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umvjiuyd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch



Let me know how it went.

[solotekk]

ok, now i'm confused.... No luck... none of those files are in the registry. How can that be? Why would the program (hi jack this) tell us that there are files in the computer that we are unable to find? unless the program itself is corrupted. Could that be a possibilty or am I way off.. By the way......I don't even know what program produced those results. I just assumed it was hi jack this.
Sorry if it sounds like i'm a geek-a-zoid, but I enjoy stuff like this.

What do we tackle next?
.........your turn............

[evilfantasy]

We will run a more thorough scanner. This one is like HijackThis but on steroids 

Post these logs directly into the next reply without attaching them. It may take two posts to get all of the text in but that is OK.


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open -
• main.txt <- this one will be maximized
  
• and extra.txt <-this one will be minimized
• Add the contents of main.txt in your post.
  
• Please also add extra.txt to your post.

What DSS will do:

• Create a new System Restore point in Windows XP and Vista.
• Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

• The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

[solotekk]

cool program. there's nothing sweeter than a little bruteforce. 

cheers......



[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

I think I found another one.

http://www.bleepingcomputer.com/startups/Windows.exe-14354.html

Download and install CleanUp! <<Don't run it yet.

Reboot into Safe Mode

Locate and delete the following Files indicated in RED

C:\WINDOWS\system32\windows.exe

Locate and delete this Registry Key

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3B818B63-1E0F-602F-0308-050407080101}

Delete the Service (if found)
1. Open HijackThis and select Open the Misc Tools selection
2. Click Delete an NT service
3. In the Delete window, type BOONTY and press OK.
OK any prompts, close HijackThis. (if prompted to restart choose NO)

Locate and delete this entire Folder (if found)

C:\Program Files\Common Files\BOONTY Shared<<< delete that entire folder

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow down to Standard CleanUp!
  
• Uncheck the following:
  
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Restart your computer



Use this online scanner. It looks for more than just virus and trojan entries.

Please run the F-Secure Online Scanner

Note: This Scanner works with Internet Explorer Only!

• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
  
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click

Cancel, then New Scan[/list]

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
  
• Click Automatic cleaning
  
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

• This scan will only work with Internet Explore
• You must have administrator rights to run this scan
• This scan can take a while, so please be patient

Next post
F-Secure log
new HijackThis log

[/list]

[solotekk]

What does this mean?

I think I found another one.

http://www.bleepingcomputer.com/startups/Windows.exe-14354.html

I was unable to locate the windows.exe file.

 

[evilfantasy]

The windows exe file was in the Deckards log. I don't understand why all of this stuff is logged but not found.

Do the F Secure scan for sure, it is a good scanner so should find and delete anything there.

[solotekk]

this is fun....... cleanup version 4.5.2 is not downloading completely from the link you provided. Its a 331kb file, and it's only downloading 134kb. Not sure, but there might be a problem with the person's website.... I tried it three times....

ANYWAYS.......

I'll run the F-secure scan right now.....

cheers.........

[evilfantasy]

I had someone earlier have problems also, we will use ATF Cleaner.

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main ATF Cleaner menu to close the program.

[solotekk]

attached:

f_secure log
new hjt_log

cheers.....


[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Please use Panda's TotalScan

• Under Scan Now click the Full Scan button
  
• Follow the prompts to install the Active X if necessary
• When the scan is finished, a report will be generated
• Next to Scan Details click the small Save button and save the report to your desktop.
  
• Please post the report in your reply along with a new HijackThis log.

[solotekk]

The ATF cleaner program is quite impressive! I was amazed how much it cleaned.  Very kewl!! Thanks for referring it.

I'm running the Panda scan right now.

Thanks.
Solotekk

[evilfantasy]

If you like that one, you should try to download CleanUp! again. It has a few custom settings to it.

Both are very powerful little programs!

[solotekk]

OK. I will. should i use the link from a few posts ago? or can you provide a new link?

thx.
 

[evilfantasy]

Try this - Direct download link.

http://stevengould.org/downloads/cleanup/CleanUp452.exe

[solotekk]

i'm still having problems downloading cleanUp452.exe. The website does offer the file in zip form, but the program is ver. 4.0. Maybe i'll try downloading the zip and check for updates.

still scanning..............

[evilfantasy]

Odd, I have no problems with downloading the installation package.

[CBMatt]

Odd, I have no problems with downloading the installation package.

I just tried it and I also didn't have any problems.

I hope you don't mind me butting in for a second, but I noticed what appears to be a PurityScan infection.  It often disguises itself as legitimate files already existing on the computer, so it's important to determine which is the correct one to delete.  Because AppPatch normally isn't in Program Files, we shouldn't have to worry about mistaken identity.  However, the question mark in the file path might be confusing ComboFix and The Avenger.  It's just a theory and I could be wrong, but it's possible that this is getting in the way of removing the files.

solotekk,
Copy everything inside the quote box below (starting with dir) and paste it into Notepad.  Go up to File > Save As... and click the drop-down box to change the "Save As Type" to "All Files".  Save it as findfile.bat on your Desktop.

dir C:\Program Files\?ppPatch /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it.  It will open Notepad with some text in it.  Please post the contents of that Notepad file here.  If this doesn't work and the Notepad file is blank, then manually navigate to C:\Program Files and look for the ?ppPatch folder.  Look carefully because the ? is a wildcard, which means it can represent any letter.  In this case, I would expect it to be an A, but that's not guaranteed.  When you find the folder, please let us know the actual name of it and what files are inside of it.  Do not open any files that may be contained within this folder!  Only make note of the filenames!

[evilfantasy]

Thanks Chris.

Good to see you posting again!!!

[CBMatt]

It feels good to be posting again.  I hated having to neglect the forum for so long, but I've been incredibly busy with life.  Things have calmed down for now, though, so I'm trying to post a bit more.  I've even been able to get some reading done!

[solotekk]

ok... so i did everything that chris instructed, but when i opened notepad from the desktop, of course it was blank. So i went on a search, and there is no folder named ?ppatch (or wildcard) of the sort. And all files are visible: which means no files or folders are being hidden.  Could  someone please give me more info on just what a Purityscan is? This is the first time that I am hearing of this.

P.S. Chris, thanks for your input. Your help is appreciated as well as Evilfantasy's.

[]
solotekk
still scanning............................... .....................

[evilfantasy]

Purity scan/clickspring http://www.symantec.com/security_response/writeup.jsp?docid=2003-090516-2325-99


Is the scan stuck on a file or what? This seems like an enormous amount of time.

[solotekk]

i'm at 30 percent right now. i had to restart the scan again, due to a crappy wireless signal seven hours ago.  However, I have managed to find a spot that seems to be keeping a good solid signal. When I began the scan the first time, i noticed some slowness at the 19 percent mark. Plus, it stayed that way for about 35 minutes until i lost the signal.

Please be patient.............besides, i cant fall asleep now anyways..............
thanks

[solotekk]

cheers..........




[file cleanup - saving space - attachment deleted by admin]

[solotekk]

i need to send you a few print screens so you can see this new error that appeared this morning when AVG was auto scanning. the file has a ? in front of the file name. Is there an alternate way to send you this zip file? Let me know.
thanks

[evilfantasy]

OK, one step closer to a remedy.


 
Copy this file path C:\Program Files\Tenable\Nessus\plugins\plugin.tar.gz (highlight and press ctrl+C)

Go to www.viruschief.com

Paste the file path in the window under Quick Scan: (press ctrl+V on the keyboard to paste)

Click Scan.

You will see a message:
ENG: It can take up to 1 minute before your scan starts, please wait!
GER: Es kann bis zu einer Minute dauern bis Ihr Scan startet, bitte warten!

Once the scan is complete, copy the text in the window under BB Code and paste it into the next post.

You can go ahead and post that log now then continue on with the rest of the steps.

----------

Next go to this file C:\Program Files\BitLord\Downloads\CYBER CD\Professional Spy\Investigating Tools\KEYKEY\keykey.exe. Look for an uninstaller and run it if it is there ( if it will run).


Restart the computer in Safe mode

In Safe Mode:

Click Start > Run.

1. Type regedit

Then click OK.

2. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

3. In the right plane, delete the values:

"SL Loader"="loadwin.exe"
"KK Loader"="%System%\loadkk.exe"

4. Navigate to the key:

HKEY_LOCAL_MACHINE\Software

5. In the left plane, delete the subkey:

ScreenLogger

6. Navigate to the key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

7. In the left plane, delete the subkey:

KeyKey

8. Exit the Registry Editor.

9. Restart the computer in normal mode.

----------

Run ATF Cleaner.

----------

Next run the Symantec W32.Esbot Removal Tool

Download the tool and folow the instructions.

-----------

We will try to not have to run another online scan due to the connection issues.


Please download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

----------

Then make sure the AVG is update, boot to safe mode and run a full system scan with it.

----------

Next post
DR. Web log
New HijackThis log


Also let me kkow how the computer is now.

[solotekk]

------ C:\Program Files\BitLord\Downloads\CYBER CD\Professional Spy\Investigating Tools\KEYKEY\keykey.exe. Look for an uninstaller and run it if it is there ( if it will run).--------

there is no uninstaller for the file keykey.exe.
Should I delete the folder KEYKEY?

[evilfantasy]

Yes manual removal is the next step, only you will also have to delete the registry keys as well.

Restart in safe mode to delete the files/folder.

In safe mode delete the following keys.

Click Start > Run.

   1. Type regedit

      Then click OK.

   2. Navigate to the key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

   3. In the right plane, delete the values:

      "SL Loader"="loadwin.exe"
      "KK Loader"="%System%\loadkk.exe"

   4. Navigate to the key:

      HKEY_LOCAL_MACHINE\Software

   5. In the left plane, delete the subkey:

      ScreenLogger

   6. Navigate to the key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

   7. In the left plane, delete the subkey:

      KeyKey

   8. Exit the Registry Editor.

   9. Restart the computer in normal mode.

[solotekk]

Here is the bb code.




Antivir: Nothing found
ArcaVir: Nothing found
Avast: Nothing found
AVG: Nothing found
BitDefender: Trojan.Arcbomb.ZIP
ClamAV: Nothing found
F-Prot: Nothing found
Norman: Nothing found
Rising: Nothing found
VirusBlokAda32: Nothing found
VirusBuster: Nothing found

Report overview
Scanned by viruschief.com

[evilfantasy]

Lets run that file through jottiscan and see what all it detected by it.

http://virusscan.jotti.org/

[solotekk]

here is what http://virusscan.jotti.org/ scan found:

Scan taken on 10 Jan 2008 04:12:45 (GMT) 
A-Squared  Found nothing
AntiVir  Found HEUR/Exploit.HTML 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found nothing
Fortinet  Found nothing
Ikarus  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found DoS/42zip 
Rising Antivirus  Found nothing
Sophos Antivirus  Found nothing
VirusBuster  Found nothing
VBA32  Found nothing
   

[evilfantasy]

I am leaning toward a false positive on that file.

Is this or was this a company machine that would have has monitoring software installed to ensure the user was doing their job?

C:\Program Files\Tenable\Nessus\plugins\plugin.tar.gz
http://www.nessus.org/nessus/

[solotekk]

the drweb cureit link is blank.

is there an alternative method?
 

[evilfantasy]

I am having the worst time with links lately.

Use this direct download. ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

[solotekk]

Is this or was this a company machine that would have has monitoring software installed to ensure the user was doing their job?


No, but my client did have another person working on this before I was hired. I'm not sure exactly what that person did either, (installed,uninstalled, or repaired.)

Why do you ask?

[evilfantasy]

Nessus is some sort of security software. It could have been corrupted by virus but I am leaning toward a false positive. I didn't read much on the web site so I am not clear on exactly what type of security it is. Antivirus reports what it sees as suspicious. Therefore if some sort of legitimate monitoring software is put on a computer the AV will report it because of the way it works is not normal to other programs.

And if it were company software I wouldn't want to see you take it out and possibly jeopardize your clients standing with the company. But if it is a personla computer and not known what it is or why it's there.........

It is your call on that one. It is at C:\Program Files\Tenable\Nessus\plugins\plugin.tar.gz
There may be an uninstaller in there or in add/remove programs.

[solotekk]

ok, I looked in both places, and am unable to find an uninstaller...hmmm......

Any suggestions?

thanks...

[evilfantasy]

Manually deleting everything you can find.

[solotekk]

here is the log file for dr.web and a new hjt log.

cheers.



[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Have Hijackthis fix this entry.

O4 - Global Startup: Digital Line Detect.lnk = ?

Other than that everything looks fine.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /u
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

----------

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

----------

Let me know how everything is now.

[solotekk]

Hi, everything looks pretty good from where i'm sitting.

I know it took a while to find a solution, and again, I thank you for your help.

you are the best.

If I need your assistance in the future, would it be ok if i emailed you or should i look for you on "the computer forums.com"?

Have a great evening!!

Solotekk

[evilfantasy]

I can be reached either way.

Closing steps.......

Please download OTMoveIt2 by OldTimer

OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)[/list]
When finished exit out of OTMoveIt2

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

Let us know if anything else comes up.

[solotekk]

I will. Thanks a million.
 

keep kewl......