Baciama- Fixwareout report

**arnoldkc** · 2006-10-22, 08:01

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8E0132CE0603-B6F8-3D64-74CE-5C983602{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\femmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmmef.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSEII.EXE
* csr.exe C:\WINDOWS\System32\{BDD2B~1.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEII.EXE 51,233 2006-08-30
C:\WINDOWS\SYSTEM32\DMIFE.EXE 61,985 2004-08-09
C:\WINDOWS\SYSTEM32\DMMEF.EXE 61,985 2004-08-09
C:\WINDOWS\SYSTEM32\DMXXI.EXE 61,985 2004-08-09

Other suspects.
Directory of C:\WINDOWS\system32
{BDD2BCD6-BE9F-46B8-9BA4-D9E9540BBD95}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

**pskelley** · 2006-10-22, 13:39

Welcome to the forum, you seem to have missed this important information:
please be advised that most forums Pin the information you need at the top of the page. These two links are a must before you can proceed, but I suggest you review all Pinned (Sticky) information.
UPDATED WINDOWS - Your first line of defence, links and tips
http://forums.spybot.info/showthread.php?t=425
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288

Without seeing a HJT log BEFORE you ran Fixwareout I can't comment on the infection. From the looks of the report, you did indeed have the infection, but I still need to see a HJT log to know if it has removed the stuff. Fixwareout is also reporting that these files are probably bad:
C:\WINDOWS\system32\{BDD2BCD6-BE9F-46B8-9BA4-D9E9540BBD95}.exe
C:\WINDOWS\SYSTEM32\CSEII.EXE
C:\WINDOWS\SYSTEM32\DMIFE.EXE
C:\WINDOWS\SYSTEM32\DMMEF.EXE
C:\WINDOWS\SYSTEM32\DMXXI.EXE

Use these free online scanners to be sure they are bad:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

You will need to show hidden files and folders:
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete them if you find they are bad, then post a fresh HJT log, I will take a look and advise you.

Thanks

**tashi** · 2006-10-29, 06:07

This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Thread: Baciama- Fixwareout report

Thread Tools

Display

Baciama- Fixwareout report

Posting Permissions