Tech Support Forum - View Single Post - Log

sUBs · 08-04-2006, 03:27 PM

Let's do this first..

Download and unzip - bfu.zip
Run the program and click the Web button located on the top right corner

Copy/Paste this url into the address bar of the Download script window:

http://metallica.geekstogo.com/EGDACCESS.bfu

Execute the script by clicking the Execute button. Post a new hijackthis log when finished.

If you have any questions about the use of BFU please click here

* * * * * *

Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)

Select Drive C: & click the 'OK' button
Select the following options:
- Temporary Internet Files
- Temporary Files
Click the 'OK' button

* * * * * *

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,SKEYS /I
O2 - BHO: (no name) - {533F8AB8-2A41-0BA1-7C76-6A2D82F3F1FE} - C:\WINDOWS\system32\wwga.dll (file missing)
O2 - BHO: (no name) - {88863B88-415D-F26B-2FA3-F5DFFB68B46D} - C:\WINDOWS\System32\opgmjwtw.dll (file missing)
O2 - BHO: (no name) - {AAF45F0C-F6F7-894E-918B-B010421B5BF0} - C:\WINDOWS\system32\prh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [xvuiyrzlt] c:\windows\system32\xvuiyrzlt.exe xvuiyrzlt
O4 - HKLM\..\Run: [0dd90983.exe] C:\WINDOWS\system32\0dd90983.exe
O4 - HKCU\..\Run: [Pti] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [fwqz] C:\PROGRA~1\COMMON~1\fwqz\fwqzm.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {01BE5BD7-B2DD-48B3-A759-59265A91E787} - http://akamai.downloadv3.com/binarie...SS_1064_XP.cab
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binarie...SS_1063_XP.cab
O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} (IEplugin Class) - http://www.japanese-porns.com/traffic/IE_plugin.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binarie...et32_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {8B3B8135-9DAA-40E7-8941-962795F9C1CB} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binari...SS_1068_XP.cab
O16 - DPF: {A1C392A2-B274-46DB-89BE-1FBD476B9C93} - http://scripts.downloadv3.com/binari...SS_1065_XP.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binarie...SS_1058_XP.cab
O16 - DPF: {E114CD5B-17CE-4807-890E-7B1EDF9F2E5E} - http://scripts.downloadv3.com/binari...SS_1066_XP.cab
O16 - DPF: {E24E8472-89B7-479F-8AD8-BBD7206A6A02} - http://scripts.downloadv3.com/binari...SS_1067_XP.cab
O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binarie...SS_1062_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab

* * * * * *

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * *

Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

* * * * * *

1. Download this file -

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include the following logs:

HiJackThis

DrWeb

Combofix

Blacklight

Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

08-04-2006, 03:27 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	Let's do this first.. Download and unzip - bfu.zip Run the program and click the Web button located on the top right corner Copy/Paste this url into the address bar of the Download script window: http://metallica.geekstogo.com/EGDACCESS.bfu Execute the script by clicking the Execute button. Post a new hijackthis log when finished. If you have any questions about the use of BFU please click here * * * * * * Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup) Select Drive C: & click the 'OK' button Select the following options: Temporary Internet Files Recycle Bin Temporary Files Click the 'OK' button * * * * * * * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/ F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,SKEYS /I O2 - BHO: (no name) - {533F8AB8-2A41-0BA1-7C76-6A2D82F3F1FE} - C:\WINDOWS\system32\wwga.dll (file missing) O2 - BHO: (no name) - {88863B88-415D-F26B-2FA3-F5DFFB68B46D} - C:\WINDOWS\System32\opgmjwtw.dll (file missing) O2 - BHO: (no name) - {AAF45F0C-F6F7-894E-918B-B010421B5BF0} - C:\WINDOWS\system32\prh.dll (file missing) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O4 - HKLM\..\Run: [xvuiyrzlt] c:\windows\system32\xvuiyrzlt.exe xvuiyrzlt O4 - HKLM\..\Run: [0dd90983.exe] C:\WINDOWS\system32\0dd90983.exe O4 - HKCU\..\Run: [Pti] C:\WINDOWS\System32\??rss.exe O4 - HKCU\..\Run: [fwqz] C:\PROGRA~1\COMMON~1\fwqz\fwqzm.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O16 - DPF: {01BE5BD7-B2DD-48B3-A759-59265A91E787} - http://akamai.downloadv3.com/binarie...SS_1064_XP.cab O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binarie...SS_1063_XP.cab O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} (IEplugin Class) - http://www.japanese-porns.com/traffic/IE_plugin.cab O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binarie...et32_EN_XP.cab O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {8B3B8135-9DAA-40E7-8941-962795F9C1CB} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binari...SS_1068_XP.cab O16 - DPF: {A1C392A2-B274-46DB-89BE-1FBD476B9C93} - http://scripts.downloadv3.com/binari...SS_1065_XP.cab O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binarie...SS_1058_XP.cab O16 - DPF: {E114CD5B-17CE-4807-890E-7B1EDF9F2E5E} - http://scripts.downloadv3.com/binari...SS_1066_XP.cab O16 - DPF: {E24E8472-89B7-479F-8AD8-BBD7206A6A02} - http://scripts.downloadv3.com/binari...SS_1067_XP.cab O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binarie...SS_1062_XP.cab O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab * * * * * * Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * Download and run Blacklight Note that you must have local administrative privileges to run the program. Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this When it finishes, click Next. You may get a screen similar to the picture below. Click on Close BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log * * * * * * 1. Download this file - http://download.bleepingcomputer.com/sUBs/combofix.exe http://www.techsupportforum.com/sectools/combofix.exe 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include the following logs: HiJackThis DrWeb Combofix Blacklight Online scan Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?