Another "Hijack" log that needs checking THANKS

The script worked for me, so yes, I think you're missing something. Make sure you include "Files to delete:" and make sure there are no blank lines before "Files..."

 

Yea, silly me, I left out (Files to delete), heres the Text log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ipiqctry

*******************

Script file located at: \??\C:\Program Files\ucwbxwoq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\ps.a3d deleted successfully.
File C:\WINDOWS\System32\redir2.a3d deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

And there is a Zip file at location advised

 

Oh my God, finally, I think we're actually getting somewhere! w00t, w00t! :-D

Run ActiveScan one last time to see what remains.

 

OK it's now 2.30am here, am commencing scan, will report back, is yippie to soon?

 

Let's not count our chickens before they hatch, but I think a 'yippie' is in order.

 

Hooray, it's gone

Still 3 hacking and heaps of spyware.

Thank you so very much

What do you recommend from here.


Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settingsynton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@ads.pointroll[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settingsynton\Cookies\anthea baynton@casalemedia[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@club.cdfreaks[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ynton\Cookies\anthea baynton@statcounter[1].txt
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\nton\Desktop\crap\AresGalaxyClassic.exe[NNWARZ3_88.exe]
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[SHNT288.exe]
Adware:Adware/nCase Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[saap.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whAgent.inf]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whiehlpr.dll]
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\LocalService\Cookies\system@mysearch[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll

 

Copy the following [bold]bold[/bold] text into Notepad.

[bold]REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}][/bold]

Name the file [bold]Fix.reg[/bold]
Change the "Save as Type" to [bold]All Files[/bold] and save it on the desktop.
Open the Fix.reg file and click Yes when prompted to merge.

Delete these with KillBox in safe mode:
C:\WINDOWS\system32\xmltok.dll
C:\Documents and Settings\nton\Desktop\crap\AresGalaxyClassic.exe
C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe

Clean the cookies with CCleaner or ATF Cleaner.


Should be clean now, finally. If anything else comes up let me know. You're very welcome and good luck!

 

I am unable to do so at present, however will do so later today as I will be otherwise engaged...I am unsure about cccleaner now as I believe I picked up virus after I d/l the latest version from filehippo, where do yyou recommend I get it from, thanks for all your help. I will get back to you later.

 

Link for CCleaner Slim. (no Yahoo! Toolbar)

 

@Niobis

[bold]I sincerely thank you for helping me with this problem, you really do "know your stuff", if I can ever return the favour then you know where I am.[/bold]

What do I do with the nasty little zip file called Avenger, back up zip.

Latest Report, I have just run ActiveScan as comp still running a little slow, heres the latest log,
1 HackingTool and Rootkit
12 Spyware
This is after I ran both cccleaner and AVG spyware..any ideas whats going on??


Incident Status Location

Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
Spyware:Spyware/New.net Not disinfected C:\!KillBox\AresGalaxyClassic.exe[NNWARZ3_88.exe]
Spyware:Spyware/New.net Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[SHNT288.exe]
Adware:Adware/nCase Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[saap.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whAgent.inf]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whiehlpr.dll]
Adware:Adware/SAHAgent Not disinfected C:\!KillBox\xmltok.dll
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\LocalService\Cookies\system@mysearch[2].txt

More late Breaking News

I have traced the Hacking Tool/Rootkit to a file named
C:\Documents and Settings\nton\My Documents\desktop.ini
Details of this file are
Configuration Settings
Attributes: Hidden, System
Date Modified 10 june 2005
Size 85 bytes

Out of interest I r/c the file, went to Delete and got this response
The file 'desktop.ini' is a system file. If you remove it, your computer or one of your programs may no longer work correctly. Are you sure you want to move it to recycle bin.

Naturally I didnt do anything with it.

Does this help in any way?

 

Actually, that report is wonderful. I was expecting the Zango and MyWebSearch reg keys to return, but they're gone now.

Delete it, it's not needed.

Delete the KillBox backup folder:
C:\!KillBox

This cookie you will have to delete manually:
C:\Documents and Settings\LocalService\Cookies\system@mysearch[2].txt


Copy the following [bold]bold[/bold] text into Notepad.

[bold]REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}][/bold]

Name the file [bold]Fix.reg[/bold]
Change the "Save as Type" to [bold]All Files[/bold] and save it on the desktop.
Open the Fix.reg file and click Yes when prompted to merge.

Open the desktop.ini with Notepad and post the contents here.

 

Before I do anything, this scan has only just finished, looks like there's 2 Hacking and Rootkit now

cident Status Location

Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\LocalService\Cookies\system@mysearch[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Heres the .ini file contents

DeleteOnCopy]
Owner=nton
Personalized=5
PersonalizedName=My Documents

 

Nothing to worry about. Just use the regfix and you'll be fine.

 

Can I just delete the ini file and do I use reg.fix on

C:\WINDOWS\system32\Process.exe

 

You two put alot of time and super human effort into this system. And I know you want to beat this monster, but I question the stability and security of the system when you finish. Me I would have allready formatted or taken the drive to the back yard and shot it. I think you have used just about every program known to kill this but I have to think even those programs have holes. I know it's a matter of personal pride but Gwen you got something that just defies the rules of nature. These hackers are getting very good (bless their hearts I would like to take them all out and hang them) Niobis has the smarts for virus killing and Gwen you have the smarts to move all your important stuff to other drives in what appears to be a very largy system. I know it's a pain in the butt and for me a full reload would be atleast a week or more without a ghost image. I follow this thread everyday and would like to hear your thoughts. Bk

Gwen: After reading your last posts I rebuilt my ghost image just to keep it up to date. That was after runing every anti everything I could think of. My system shows no problems or issues at the moment but im sure my time is coming as well. The ghost image sits on 5 DVD's as well as another drive just to make sure. I only ghost the OS because all the other drives only contain data and they sit on a couple of hunderd DVD's. Ken

 

@gwendolin, NO, do not delete the desktop.ini file. It is a necessary system file.

No, process.exe belongs to SmitfraudFix. It's a process that stops process. AV's can't determine the difference between good and bad, so they're all flagged bad.

Use the regfix for the Zango registry entry.


@bkf,

You're right in thinking that. Haxdoor is a backdoor and usually with all backdoors the HD should be reformatted. But, Haxdoor is easily removed in most cases. This case in particular is very odd because Haxfix would not remove the rootkit hidden files. If you read back and follow the Haxfix log, you'll see that Haxdoor itself was removed early. The problem was removing the info files. Info files themselves are not really malicious, so there wasn't much to be worried about.

 

@bkf, I am NOT very computer smart, nor am I rich so I think I will just "hang in there" with niobis and see if we can beat this thing. Already he has solved the Virus problem and I'm sure he'll find a way to get rid of the Hacking Tools and Rootkit (whatever they are)

So niobis if you're still there then so am I...lets kill the "beast"

Yep, done that

 

I agree! Kill the beast! But I had to ask. The best and ill keep reading. Again super human effort on both your parts

"@bkf, I am NOT very computer smart"
I think you under estimate yourself. Very few in here could stay the course with what you have been working through.

 

Umm, I think we're done. You're computer is clean now.

 

@niobis, Once again I would like to thank you for ALL your help, I'm so glad you persisted with the problem..as I said if ever I can return the favour then let me know.

AD should be PROUD that they have members such as yourself who give their time FREELY AND WILLINGLY to help others. Cheers.