Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Smitfraud-C.CoreService.

  1. #11
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    alright. I tried to restart and enter into safe mode.

    I got the screen, selected safe mode with no networking, and pressed enter. it made me choose a partition... which was odd because there was only one. but I selected it. and it began starting up in safe mood.. listing a bunch of different files, but safe mode never started. I tried it several times. no luck.

  2. #12
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Looks like we are running around in circles here.

    Anyway, Can you rename Hijackthis.exe to Analyse.exe
    Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)

  3. #13
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 7:30 PM, on 2006-12-12
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    c:\program files\aim6\anotify.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\AJILON\Desktop\Analyse.exe.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [imuk] C:\PROGRA~1\COMMON~1\imuk\imukm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  4. #14
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Hi,

    Please delete the version of combofix you are having, because since we are already 3 weeks further, it has been updated and now it should normally run (since I guess it's a FAT32 in your case here which explains why it didn't run previously).

    But first,

    Check and fix next entry in HijackThis:

    O4 - HKCU\..\Run: [imuk] C:\PROGRA~1\COMMON~1\imuk\imukm.exe

    Then, * Re-Download Combofix to your desktop.
    Doubleclick combofix.exe
    Follow the prompts.
    Don't click on the window while the fix is running, because that will cause your system to hang.

    When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
    Post the contents of this log in your next reply together with a new hijackthislog.
    Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

    If that still doesn't work and no logfile is created (no C:\Combofix.txt), then do next instead:

    * Download SDFix and save it to your Desktop.

    * Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    * Reboot into Safe Mode`: ( without networking support !)
    To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
    Choose Safe Mode from the menu that will appear and press Enter.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  5. #15
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    Okay... I got a HJT log for you, as well as the Combofix, which worked this time =)

    HJT LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 10:22:59 PM, on 12/17/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\AIM6\aolsoftware.exe
    c:\program files\aim6\anotify.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HiJack This\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    ComboFix

    "AJILON" - 2006-12-17 22:13:51 - ComboFix 07-07-12.3 - Service Pack 1 FAT32


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\wintisv.exe


    ((((((((((((((((((((((((( Files Created from 2006-11-18 to 2006-12-18 )))))))))))))))))))))))))))))))


    2006-12-08 07:53 <DIR> d-------- C:\Program Files\Ares
    2006-12-07 21:33 <DIR> d--hs---- C:\FOUND.001
    2006-12-06 04:17 <DIR> d-------- C:\DOCUME~1\AJILON\APPLIC~1\AdobeUM
    2006-12-06 04:08 <DIR> d-------- C:\WINDOWS\Cache
    2006-12-06 03:35 <DIR> d--hs---- C:\FOUND.000
    2006-12-03 06:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\QuickTime
    2006-12-03 06:23 <DIR> d-------- C:\WINDOWS\Downloaded Installations
    2006-12-03 05:21 1,121 --a------ C:\WINDOWS\mozver.dat
    2006-12-03 05:21 <DIR> d-------- C:\DOCUME~1\AJILON\APPLIC~1\Snapfish
    2006-12-01 06:31 51,200 --a------ C:\WINDOWS\nircmd.exe
    2006-12-01 02:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
    2006-12-01 02:03 <DIR> d-------- C:\DOCUME~1\AJILON\APPLIC~1\Comodo
    2006-12-01 01:58 <DIR> d-------- C:\Program Files\Comodo
    2006-12-01 00:44 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2006-11-30 21:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
    2006-11-29 16:51 <DIR> d-------- C:\Program Files\HiJack This
    2006-11-29 04:39 724,992 --a------ C:\WINDOWS\iun6002.exe
    2006-11-27 21:55 <DIR> d-------- C:\DOCUME~1\AJILON\Incomplete
    2006-11-27 21:52 <DIR> d-------- C:\DOCUME~1\AJILON\APPLIC~1\LimeWire
    2006-11-25 23:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2006-11-25 22:33 <DIR> d-------- C:\Program Files\Common Files\imuk
    2006-11-25 22:18 <DIR> d--hs---- C:\WINDOWS\QUpJTE9O
    2006-11-25 02:13 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
    2006-11-25 02:13 150,528 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
    2006-11-25 02:13 14,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
    2006-11-23 19:55 <DIR> d-------- C:\Program Files\Common Files\?pPatch


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-03-15 17:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
    2007-03-15 17:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
    2006-11-24 00:55:08 -------- d-----w C:\Program Files\Common Files\??pPatch
    2006-11-07 04:58:50 -------- d-----w C:\DOCUME~1\AJILON\APPLIC~1\acccore
    2006-11-07 04:55:38 -------- d-----w C:\Program Files\AIM6
    2006-11-04 04:03:58 227 ----a-w C:\WINDOWS\PowerReg.dat
    2006-10-23 08:25:12 25,808 ----a-w C:\DOCUME~1\AJILON\APPLIC~1\GDIPFONTCACHEV1.DAT
    2003-05-07 19:32:34 266 --sh--w C:\Program Files\desktop.ini
    2003-05-07 19:32:34 11,079 ---h--w C:\Program Files\folder.htt
    2005-08-02 21:46:54 187,904 --sha-r C:\WINDOWS\QUpJTE9O\asappsrv.dll
    2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\QUpJTE9O\koDLnH6i.vbs


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
    "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2006-12-01 01:58]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 17:37]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, digest.dll


    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2006-12-17 22:17:52
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2006-12-17 22:19:21
    C:\ComboFix-quarantined-files.txt ... 2006-12-17 22:19

    --- E O F ---

  6. #16
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Hi,

    Only leftovers here...
    Navigate to the following folder:

    C:\Program Files\Common Files

    In there, there will be a folder called "?pPatch".
    It will most probably look like appPatch. Delete that folder.
    DON'T delete the AppPatch folder present in your C:\Windows - folder, because that's a good one !!!

    Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
    Copy/paste the text in the quotebox below into notepad:

    Folder::
    C:\Program Files\Common Files\imuk
    C:\WINDOWS\QUpJTE9O
    Save this as txtfile CFScript

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

  7. #17
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    Logfile of HijackThis v1.99.1
    Scan saved at 5:30:25 PM, on 7/12/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\AIM6\aolsoftware.exe
    c:\program files\aim6\anotify.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\HiJack This\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





    "AJILON" - 2007-07-12 17:23:45 - ComboFix 07-07-12.3 - Service Pack 1 FAT32
    Command switches used :: C:\Documents and Settings\AJILON\Desktop\CFScript.txt


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\imuk
    C:\WINDOWS\QUpJTE9O
    C:\WINDOWS\QUpJTE9O\asappsrv.dll
    C:\WINDOWS\QUpJTE9O\koDLnH6i.vbs


    ((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 )))))))))))))))))))))))))))))))


    No new files created in this timespan


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2006-10-23 07:25:12 25,808 ----a-w C:\DOCUME~1\AJILON\APPLIC~1\GDIPFONTCACHEV1.DAT
    2003-05-07 18:32:34 266 --sh--w C:\Program Files\desktop.ini
    2003-05-07 18:32:34 11,079 ---h--w C:\Program Files\folder.htt


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 11:35]
    "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2006-12-01 02:58]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 17:37]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, digest.dll

    *Newly Created Service* - CATCHME

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-12 17:27:01
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-12 17:28:09
    C:\ComboFix2.txt ... 2006-12-17 22:19
    C:\ComboFix-quarantined-files.txt ... 2007-07-12 17:28

    --- E O F ---

  8. #18
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Clean logs again.

    Delete the C:\Qoobox folder.

    Let me know how things are now.

  9. #19
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    New logs below, and everything seems much better now. I still have popups occasionally but it's just the result of a cookie or something simple. My computer is still a bit on the slow side, but it's getting older.. it's about 4 years old in the computer world... it was running just fine up until lately. I want to ask you about defragmenting it... someone I know suggested it... I don't think it's ever been done, and I don't really know a lot about it. I'm much more... software oriented.. I know little to none about the actual background workings of a computer.



    "AJILON" - 2007-07-12 22:08:10 - ComboFix 07-07-12.3 - Service Pack 1 FAT32


    ((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))


    No new files created in this timespan


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2006-10-23 07:25:12 25,808 ----a-w C:\DOCUME~1\AJILON\APPLIC~1\GDIPFONTCACHEV1.DAT
    2003-05-07 18:32:34 266 --sh--w C:\Program Files\desktop.ini
    2003-05-07 18:32:34 11,079 ---h--w C:\Program Files\folder.htt


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
    "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2006-12-01 01:58]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 17:37]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, digest.dll


    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-12 22:13:04
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-12 22:14:28
    C:\ComboFix3.txt ... 2006-12-17 22:19
    C:\ComboFix-quarantined-files.txt ... 2007-07-12 17:28
    C:\ComboFix2.txt ... 2007-07-12 17:28

    --- E O F ---


    Logfile of HijackThis v1.99.1
    Scan saved at 10:05:31 PM, on 7/12/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    c:\program files\aim6\anotify.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HiJack This\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  10. #20
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Hi,

    Logs still look clean

    Read here how to defragment: http://helpdesk.its.uiowa.edu/window...ons/defrag.htm
    In your case, it may take a long time to defragment since you have never done it before and your system is a FAT32.

    Glad I could help.

    Please read my Prevention page with lots of info and tips how to prevent this in the future.
    And if you want to improve speed/system performance after malware removal, take a look here.

    Happy Surfing again!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •