hi_jack_this_log

[evilfantasy]

192.168.0.1 is the DLink router setup page. (thanks Broni)


65.24.7.3 and 65.24.7.6 must be your ISP.

I am anxious to learn why you think all the lenovo and ibm software is malware?

No I don't think it is malware, I meant it looks like malware. A lot of the dlls and .sys files have strange almost cryptic names like ar5211.sys or tphklock.dll. Many times when there are a lot of file names like that they will be either malicious files, or left overs from cleaned malware. I hadn't seen most of them before so it took me a while to figure them all out.

[solotekk]

here is the combo log.

how did you end up figuring them out? 

yes, 65.24.7.3 and 65.24.7.6 is the ISP that she is using.




[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Well that didn't work.


Now download The Avenger By Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the Input script manually box.
  
• Click on the Magnifying Glass Icon which will open a new window titled View/edit script
  
• Copy everything in the Quote box below, and paste it in the box that opens:

Folders to delete:
C:\WINDOWS\i34yuc387
Files to delete:
C:\WINDOWS\awcofznA.exe
C:\Documents and Settings\brainiak\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\?ppPatch\?serinit.exe
C:\Program Files\WinPop\winpop.exe
Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awcofznA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fkgswssg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umvjiuyd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch

Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

• Now click the 'Done' button.
  
• Click on the Green Light and OK the prompt.
  
• You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
  
• A log file from Avenger will be produced at C:\avenger.txt
  

The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger's actions.
  
  • This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  
  • Please attach the C:\avenger.txt in your next post.

Next post
avenger log

[solotekk]

cheers.......

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Well this is fun.............. They aren't deleting.


Delete these files/folders, as follows:

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the quotebox below into the Notepad window:

KillAll::

Folder::
C:\WINDOWS\i34yuc387

File::
C:\WINDOWS\awcofznA.exe
C:\Documents and Settings\brainiak\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\?ppPatch\?serinit.exe
C:\Program Files\WinPop\winpop.exe

Registry::
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awcofznA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fkgswssg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umvjiuyd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch

3. Save this as CFScript on the desktop.
4. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



5. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang


Next post
combofix log
New Hiackthis log

[solotekk]

cheers again.................


[file cleanup - saving space - attachment deleted by admin]

[solotekk]

i have a question......can't i just do a start,  run,  regedit and manually find and delete the files? Or is it not that easy??

[evilfantasy]

i have a question......can't i just do a start,  run,  regedit and manually find and delete the files? Or is it not that easy??

That was going to be the next move. I try not to send people into the registry unless necessary. I forget you are a Tech. so we probably should have done this sooner.

You may not find all of them, but they need to be checked anyway.

---------------

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK

---------------

Follow these steps to create a backup of the registry.

• Click the Start button, then click Run. The Run window opens.
• Type REGEDIT, then click OK. The Registry Editor opens.
• Choose Registry, Export Registry File.
• Verify the following entries in the Export Registry File Dialog Box:
• Save in: Desktop
• File Name: Registry Backup
• Export Range: All
• Click Save.
• Exit the Registry Editor.
• Verify you have an icon titled REGISTRY BACKUP.REG on the Desktop.

CAUTION:
Do not double-click the REGISTRY BACKUP.REG file on your Desktop unless you intend to undo your changes. Immediately verify the effect of your changes. When you have verified that the changes to the registry produce the desired result, delete the REGISTRY BACKUP.REG file from the desktop, otherwise restore it immediately.

Do not allow the REGISTRY BACKUP.REG file to remain on the desktop beyond the testing period to avoid inadvertently double-clicking it.

Delete the registry backup after an hour or so of normal computer functions

---------------

Look for these File, Folders and Registry keys.

Folder::
C:\WINDOWS\i34yuc387

File::
C:\WINDOWS\awcofznA.exe
C:\Documents and Settings\brainiak\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\?ppPatch\?serinit.exe
C:\Program Files\WinPop\winpop.exe

Registry::
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awcofznA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fkgswssg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umvjiuyd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch



Let me know how it went.

[solotekk]

ok, now i'm confused.... No luck... none of those files are in the registry. How can that be? Why would the program (hi jack this) tell us that there are files in the computer that we are unable to find? unless the program itself is corrupted. Could that be a possibilty or am I way off.. By the way......I don't even know what program produced those results. I just assumed it was hi jack this.
Sorry if it sounds like i'm a geek-a-zoid, but I enjoy stuff like this.

What do we tackle next?
.........your turn............

[evilfantasy]

We will run a more thorough scanner. This one is like HijackThis but on steroids 

Post these logs directly into the next reply without attaching them. It may take two posts to get all of the text in but that is OK.


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open -
• main.txt <- this one will be maximized
  
• and extra.txt <-this one will be minimized
• Add the contents of main.txt in your post.
  
• Please also add extra.txt to your post.

What DSS will do:

• Create a new System Restore point in Windows XP and Vista.
• Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

• The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

[solotekk]

cool program. there's nothing sweeter than a little bruteforce. 

cheers......



[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

I think I found another one.

http://www.bleepingcomputer.com/startups/Windows.exe-14354.html

Download and install CleanUp! <<Don't run it yet.

Reboot into Safe Mode

Locate and delete the following Files indicated in RED

C:\WINDOWS\system32\windows.exe

Locate and delete this Registry Key

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3B818B63-1E0F-602F-0308-050407080101}

Delete the Service (if found)
1. Open HijackThis and select Open the Misc Tools selection
2. Click Delete an NT service
3. In the Delete window, type BOONTY and press OK.
OK any prompts, close HijackThis. (if prompted to restart choose NO)

Locate and delete this entire Folder (if found)

C:\Program Files\Common Files\BOONTY Shared<<< delete that entire folder

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow down to Standard CleanUp!
  
• Uncheck the following:
  
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Restart your computer



Use this online scanner. It looks for more than just virus and trojan entries.

Please run the F-Secure Online Scanner

Note: This Scanner works with Internet Explorer Only!

• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
  
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click

Cancel, then New Scan[/list]

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
  
• Click Automatic cleaning
  
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

• This scan will only work with Internet Explore
• You must have administrator rights to run this scan
• This scan can take a while, so please be patient

Next post
F-Secure log
new HijackThis log

[/list]

[solotekk]

What does this mean?

I think I found another one.

http://www.bleepingcomputer.com/startups/Windows.exe-14354.html

I was unable to locate the windows.exe file.

 

[evilfantasy]

The windows exe file was in the Deckards log. I don't understand why all of this stuff is logged but not found.

Do the F Secure scan for sure, it is a good scanner so should find and delete anything there.

[solotekk]

this is fun....... cleanup version 4.5.2 is not downloading completely from the link you provided. Its a 331kb file, and it's only downloading 134kb. Not sure, but there might be a problem with the person's website.... I tried it three times....

ANYWAYS.......

I'll run the F-secure scan right now.....

cheers.........