Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Baylies hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Baylies hijackthis log

Unread postby wolfenstien » March 17th, 2008, 12:24 am

so is she clean now? or.....?

Thanks again for the help on this.
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm
Advertisement
Register to Remove

Re: Baylies hijackthis log

Unread postby dan12 » March 17th, 2008, 2:17 am

so is she clean now? or.....?

No, we have only just started we have a way to go yet!
will be back with you later. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby dan12 » March 17th, 2008, 3:47 pm

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\Documents and Settings\Bailey\Application Data\0047cf333f146ee683017927e4c506bb6ccc0fb8840ba1e2bc.dat

Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\2107xg.exe
C:\WINDOWS\U2hpcGxleTI
C:\PROGRA~1\COMMON~1\ruiz\ruizm.exe


If Jotti is too busy please try Virustotal

Please post results while I finish the research on your combo log
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby dan12 » March 17th, 2008, 4:14 pm

When you have done above post:

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 17th, 2008, 5:19 pm

from jotti:
File: 2107xg.exe
Status:
INFECTED/MALWARE
MD5: c60eb1708ff07708211399a25a6c1325
Packers detected:
PE_PATCH.UPX, UPX
Bit9 reports: File not found

F-Secure Anti-Virus, Kaspersky Anti-Virus, and VBA32: Found Trojan-Downloader.Win32.FraudLoad.ah

________________________

0047cf333f146ee683017927e4c506bb6ccc0fb8840ba1e2bc.dat

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

It is actually zero bytes.....

________________________

C:\WINDOWS\U2hpcGxleTI
Empty of any files.

_______________________

C:\PROGRA~1\COMMON~1\ruiz\ruizm.exe
Does not exist. from c:\program files\common files\ruiz
there is a sub folder "ruizd" which is also empty.


I do have "show hidden files" and "show hidden system files" selected.
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 17th, 2008, 5:21 pm

Can I see the uninstall log :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 17th, 2008, 5:26 pm

Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5
AOL Toolbar 2.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
CardRd81
CCScore
CR2
Crash Analysis Tool
Dell Driver Reset Tool
Dell Support 3.2.1
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP PSC & Officejet 4.2 Corporate Edition
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Jasc Animation Shop 3
Kodak EasyShare software
KSU
LimeWire 4.12.6
McAfee SecurityCenter
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft XML Parser and SDK
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
Nero 6 Ultra Edition
Nero PhotoShow Express
Nero Suite
Notifier
Opera 9.02
Opera 9.26
OTtBP
OTtBPSDK
PowerDVD
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SFR
SHASTA
SKIN0001
SKINXSDK
SoundMAX
Spybot - Search & Destroy
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Viewpoint Media Player
VNC Enterprise Edition E4.2.7
VPRINTOL
WebCyberCoach 3.2 Dell
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WIRELESS
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 17th, 2008, 5:42 pm

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall LimeWire, however that choice is up to you.
If you wish to keep it, please do not use it until your computer is cleaned.

Optional - VIEWPOINT MANAGER
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
Additional info:Here
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Your call.

___________________

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint.
Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information.
CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'

____________________________


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
   File::
C:\Documents and Settings\Bailey\Application Data\evjhv.exe
C:\WINDOWS\quit.exe
C:\2107xg.exe

Folder::
C:\WINDOWS\provisioning
C:\WINDOWS\peernet
C:\WINDOWS\U2hpcGxleTI
C:\PROGRA~1\COMMON~1\ruiz
C:\Program Files\Web Buying
C:\PROGRA~1\PPPATC~1
C:\Program Files\\JavaCore
C:\Program Files\nvcoi
C:\Program Files\\NoDNS
C:\Program Files\ipwins

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eecmlk"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmnkk]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvutttr]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\845721c5]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM87641259]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ehss]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IESet]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ifbqnhk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Adapter 5.1.3214]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qbdopmwc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qqg]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uypbfqt]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zxxy]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]


DirLook::
C:\WINDOWS\system32\bits


    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


______________________

Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
____________

: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (If available otherwise Standard)
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • Kaspersky scan log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 17th, 2008, 7:27 pm

I cannot do an online scan with the computer we are working on because it is not connected to the net.
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 17th, 2008, 7:36 pm

Does it not have net access, will it have in the near future?
just skip that part if you don't have net access, you should be able to run malwarebytes, don't forget to update the data base before you swith over and run the scan to the infected machine.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 17th, 2008, 7:50 pm

dan12 wrote:Does it not have net access, will it have in the near future?
just skip that part if you don't have net access, you should be able to run malwarebytes, don't forget to update the data base before you swith over and run the scan to the infected machine.


Not sure what you mean.... MWB needs to be installed before it can update. I cant install and update on this machine and then transfered via CD to the infected one.
Yes, it will be connected once it goes home, but I do not have any way of getting it online here where I am with the way I have my network installed.

I have just finished the MWB scan and 17 were found... and taking final steps now...
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby wolfenstien » March 17th, 2008, 8:02 pm

Ok, this is the log from ComboFix with the latest scrip you gave me:

ComboFix 08-03-14.4 - Admin 2008-03-17 18:13:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.671 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\2107xg.exe
C:\Documents and Settings\Bailey\Application Data\evjhv.exe
C:\WINDOWS\quit.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\2107xg.exe
C:\Documents and Settings\Bailey\Application Data\evjhv.exe
C:\PROGRA~1\COMMON~1\ruiz
C:\WINDOWS\peernet\sqldb20.dll
C:\WINDOWS\peernet\sqlqp20.dll
C:\WINDOWS\peernet\sqlse20.dll
C:\WINDOWS\provisioning
C:\WINDOWS\provisioning\schemas\baseeapconnectionpropertiesv1.xdr
C:\WINDOWS\provisioning\schemas\baseeapuserpropertiesv1.xdr
C:\WINDOWS\provisioning\schemas\branding.xdr
C:\WINDOWS\provisioning\schemas\eapconnectionpropertiesv1.xdr
C:\WINDOWS\provisioning\schemas\eapuserpropertiesv1.xdr
C:\WINDOWS\provisioning\schemas\flashconfig.xdr
C:\WINDOWS\provisioning\schemas\flashconfigdevice.xdr
C:\WINDOWS\provisioning\schemas\help.xdr
C:\WINDOWS\provisioning\schemas\locations.xdr
C:\WINDOWS\provisioning\schemas\masterfile.xdr
C:\WINDOWS\provisioning\schemas\mschapv2connectionpropertiesv1.xdr
C:\WINDOWS\provisioning\schemas\mschapv2userpropertiesv1.xdr
C:\WINDOWS\provisioning\schemas\mspeapconnectionpropertiesv1.xdr
C:\WINDOWS\provisioning\schemas\mspeapuserpropertiesv1.xdr
C:\WINDOWS\provisioning\schemas\register.xdr
C:\WINDOWS\provisioning\schemas\ssid.xdr
C:\WINDOWS\provisioning\schemas\wirelessprofile.xdr
C:\WINDOWS\provisioning\schemas\wizard.xdr
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\U2hpcGxleTI
C:\WINDOWS\peernet . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-17 16:54 . 2008-03-17 16:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-03-14 06:13 . 2008-03-14 06:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-14 06:12 . 2008-03-14 06:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 06:00 . 2008-03-14 06:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-14 04:14 . 2008-03-14 04:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-14 04:14 . 2008-03-14 04:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-14 01:59 . 2008-03-17 18:14 4,374 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-14 01:56 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-14 01:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-14 01:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-14 01:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-14 01:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-14 01:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-14 01:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-14 01:51 . 2008-03-14 01:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-03-14 01:51 . 2008-03-14 02:01 <DIR> d-------- C:\Program Files\McAfee
2008-03-14 01:51 . 2008-03-14 01:56 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-14 01:16 . 2008-03-14 01:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-14 01:02 . 2008-03-14 01:02 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-03-14 00:44 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-14 00:44 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-14 00:44 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-14 00:44 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-14 00:44 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-14 00:44 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-14 00:44 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-14 00:44 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-14 00:44 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-14 00:40 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-14 00:18 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-13 23:45 . 2008-03-14 00:58 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-13 23:29 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-13 23:27 . 2008-03-17 18:17 <DIR> d-------- C:\WINDOWS\peernet
2008-03-13 23:26 . 2008-03-13 23:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-13 23:22 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-13 23:20 . 2008-03-13 23:20 <DIR> d-------- C:\WINDOWS\EHome
2008-03-13 23:17 . 2004-08-04 01:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-03-13 23:17 . 2004-08-02 15:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-03-13 23:17 . 2004-08-02 15:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-03-13 23:06 . 2008-03-13 23:06 215 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-13 23:02 . 2004-08-04 03:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-13 23:02 . 2004-08-04 03:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-13 23:02 . 2004-08-04 03:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-13 23:02 . 2004-08-04 03:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-03-13 23:02 . 2007-03-08 11:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-03-13 22:56 . 2004-08-04 03:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2008-03-13 22:52 . 2008-03-13 23:01 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-03-13 22:52 . 2008-03-13 22:52 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-13 22:52 . 2004-01-10 01:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-03-13 22:44 . 2008-03-13 22:44 <DIR> d-------- C:\WINDOWS\system32\bits
2008-03-08 00:02 . 2008-03-08 00:02 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-03-08 00:02 . 2004-08-04 03:56 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-03-08 00:02 . 2004-08-04 03:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-08 00:02 . 2004-08-04 03:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-08 00:02 . 2004-08-04 03:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-03-08 00:02 . 2004-08-04 03:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-03-07 23:04 . 2008-03-07 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-03-07 23:01 . 2008-03-07 23:01 61,224 --a------ C:\Documents and Settings\Bailey\GoToAssistDownloadHelper.exe
2008-03-07 22:01 . 2008-03-07 22:01 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-07 21:41 . 2008-03-14 01:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-07 21:41 . 2008-03-14 21:08 2,430 --a------ C:\WINDOWS\WinInit.Ini
2008-03-05 22:34 . 2008-03-07 10:37 0 ---hs---- C:\Documents and Settings\Bailey\Application Data\0047cf333f146ee683017927e4c506bb6ccc0fb8840ba1e2bc.dat
2008-03-05 19:50 . 2008-03-14 05:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-05 19:45 . 2008-03-05 19:45 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-14 10:14 --------- d-----w C:\Program Files\Lavasoft
2008-03-14 10:14 --------- d-----w C:\Documents and Settings\Bailey\Application Data\Lavasoft
2008-03-14 09:03 --------- d-----w C:\Program Files\Sync Manager
2008-03-14 08:09 --------- d-----w C:\Program Files\Opera
2008-03-08 04:01 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-28 21:38 --------- d-----w C:\Documents and Settings\Bailey\Application Data\LimeWire
2008-02-06 00:44 --------- d-----w C:\Program Files\MySpace
2008-02-06 00:44 --------- d-----w C:\Program Files\AIM
2008-02-06 00:44 --------- d-----w C:\Documents and Settings\Bailey\Application Data\Aim
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\bits ----

2004-07-01 18:08 361984 --a------ C:\WINDOWS\system32\bits\qmgr.dll


((((((((((((((((((((((((((((( snapshot@2008-03-16_20.32.35.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:45 151,552 -c--a-w C:\WINDOWS\system32\dllcache\sqldb20.dll
+ 2004-08-04 07:56:45 462,848 -c--a-w C:\WINDOWS\system32\dllcache\sqlqp20.dll
+ 2004-08-04 07:56:45 110,592 -c--a-w C:\WINDOWS\system32\dllcache\sqlse20.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bailey^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Bailey\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bailey^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\Bailey\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-07-13 22:10 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMon]
C:\WINDOWS\System32\CTF\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-06-18 01:24 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-06-18 01:24 131072 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-25 20:28 212992 C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-07 19:14 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 20:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ruiz]
C:\PROGRA~1\COMMON~1\ruiz\ruizm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 04:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Agent]
C:\Program Files\Sync Manager\agent\syncagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 13:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"MDM"=2 (0x2)
"helpsvc"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:40:33 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-14 05:52:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 18:17:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-17 18:18:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-17 22:18:32
ComboFix2.txt 2008-03-17 00:32:56
.
2008-03-14 02:45:16 --- E O F ---

_____________________________________________

And here is the log from MWB:

Malwarebytes' Anti-Malware 1.08
Database version: 471

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 85102
Time elapsed: 13 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir (Trojan.Insider) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\s7\gbsu011.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-725345543-1078145449-839522115-1003\Dc450.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP468\A0055537.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056412.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056414.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056425.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056426.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bailey\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 18th, 2008, 7:58 am

I take it you were able to transfer malwarebytes to get the scan you posted?
Have a little to do from your returned combo log which is looking a lot better.
hope to be back with you later
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby dan12 » March 18th, 2008, 8:29 pm

Very soon I will reach a point where by my final cleanup will be limited, due to the infected machine not being able to connect to the Internet.
I need the resources of the net to be able to do this.
Therefore you and the owner of the machine will have to decide what you want to do at that point. I appreciate the reluctance of not connecting it up to your network while being infected.

Can you look in this folder for me C:\WINDOWS\peernet

I just want to know if these three files exist. I don't want them deleting just let me know they are there.

sqldb20.dll
sqlqp20.dll
sqlse20.dll

Still working my way through your combo log at present but I've had to work tonight. :cry:
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 18th, 2008, 8:49 pm

Yes, All three of the files are there.

Its not a matter of whether I want to connect it to my network, its just that I cant... When I bought the house I rewired the entire cable system and networking system, and I have two ethernet connections in the house, and both are behind the large heavy computer desk/hutches. I cannot get to them, everything else in the house connects to my WEP connection. The Cable modem and router are both in my garage and I cannot connect the computer up in there.

I do have about 300 feet of unused cat5E, if I can find my connectors and connector tool, I will turn it into a long patch cord and be able to run it from the router to the computer and be able to connect it for you..... Ok, when you next need the computer to be online, I will have it onine for you, or atleast ready to get online.... even if I have to find a PCI wireless card for it....
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware