Am I safe now (high jack this log and my Bitdefender log)

Run Blacklight once more and attach the log. Then I would like you to run the RegSrch.vbs file again.

Have it do a search for dcincode.exe and siipinip9.sys and attach both logs.

Also, let me just say that due to these detections as a precaution I would consider changing any passwords, checking bank accounts or anything like this as these are a threat to personal information.

 

My Blacklight log
And
Reg search told me no instances found for these two… and it did not give me a log.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\SYSTEM32\DCINCODE.EXE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\drivers\siipinip9.sys into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and run Blacklight once more and attach the new log. I will hang around and await your new log.

 

my new Blacklight log

 

Looks good, does the Apropos still show up?

 

just looked and i can still see

C:\WINDOWS\pqJol
And
HKEY_LOCAL_MACHINE\SOFTWARE\Aprps

 

Run this again, reboot and check if they are gone. If they are not let me know and we will take a different approach.

 

i can still see

C:\WINDOWS\pqJol
And
HKEY_LOCAL_MACHINE\SOFTWARE\Aprps

and it looks like SpywareGuard is not opening

 

Please follow the below steps...

1. Please download and unzip Rootkit Revealer to your desktop.
   
   
2. Please leave the defaults set as they are to:
   • Hide NTFS Metadata Files: this option is on by default
   • Scan Registry: this option is on by default.
   
   
3. Launch rootkit revealer on the system and press the Scan button.
   
   
4. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
   
   
5. The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
   
   
6. Please attach the the log here in this thread to your next post.

 

Thank you for your help
I will post back sometime tomorrow …

 

Okay, I will check back then.

 

my root kit log

 

First, please download the attached file, save to your desktop. Make sure you have Admin rights or it will not work.

Extract the contents and locate the file fix.bat, double click to run, it will flash for a second and that's it.

Once you have completed this, procede with the below...

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\dcincode.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\drivers\siipinip9.sys into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot a few times and attach a fresh log from Rootkit Revealer and also let me know if those entries come back.

 

Before I do this I need to make sure which way I should boot up…. should I boot into normal mode? Which would be my lord Vigo account (the only account I can login to in normal mode) .. Or should I boot into safe mode, I have two choices in safe mode... Administrator, which requires no password and the second, is Lord Vigo. The setting Lord Vigo requires a password and is the normal login that I use when I have windows in normal mode.

 

Try it from normal mode first and post the results.

 

my log
and I can still see

C:\WINDOWS\pqJol
And
HKEY_LOCAL_MACHINE\SOFTWARE\Aprps

 

Okay, this time reboot into Safe Mode under the Administrator account and run this fix! First, download the attached file "fix1.bat".

If you havn't already disable System Restore before running this.

Once in Safe Mode run the file you downloaded and then run the below. Also, if you see this before you begin please run the AproposFix© by Swandog46 while your in Safe Mode and attach that log as well!

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\drivers\siipinip9.sys into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\dcincode.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and see if they come back.

 

I can still see

C:\WINDOWS\pqJol
And
HKEY_LOCAL_MACHINE\SOFTWARE\Aprps

 

Run the AproposFix again and attach this log, new rootkit revealer log, and a new f-secure log.

 

I got so into removing this I lost track of things, let's do some simple things quick like.

Run the online scans listed below, attach both logs to your next post. Once I have all necessary logs I will post another fix. I will check back later.

 

Thank you for your help
But I will have to post back sometime tomorrow …

 

Okay, I will post a fix once I have all 5 logs. I will check back later today.

 

Sorry I did not get to this sooner …
These are the first 3 logs
I will go do the other 2 now….

 

My rootkit log is not posting… I even renamed it a few times and it still will not post…


Upload Errors
3RootkitReveal.txt:
Upload of file failed.

 

my logs for my online scans

 

I need the Rootkit Revealer log now, if you can't attach it just paste it inline.

 

I opened it but it is empty

 

Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

Also, download and run startuplist by merijn and attach a log from this utility.

 

i get this when posting
Upload Errors
merijn startuplist.txt:
Your file of 253.4 KB bytes exceeds the forum's limit of 250.0 KB for this filetype.


i will past it in for you in the next post

 

Inline log attached to next post!

 

Inline log attached!

 

I don’t understand what I am supposed to do next… when I tried to post the log for merijn it would give me this error

Upload Errors
merijn startuplist.txt:
Your file of 253.4 KB bytes exceeds the forum's limit of 250.0 KB for this filetype

So I just pasted it in … but you edited that.. so what should I do next?

 

Please download ISeeYouXP to your desktop.
--DoubleClick it to run it and please save the log that pops up and upload it as an attachment to your post.

I'd like to check a couple of things.

Hang in there
PP

 

Sorry! In my haste, I gave you the wrong link . . . That is an older test version.

Please use this one: ISeeYouXP


PP

 

ofthedead,

I have requested a second set of eyes on this one as it's being really stubborn. Go ahead and complete PP's steps on running the ISeeYouXP and he will check back soon.

 

ok
this is my ISeeYouXP log

 

Hi Ofthedead,

At this point, I really don't see anything more that what BJ has found - Of course, the nature of this type of stealthed baddie and my coming to this thread after 80 previous posts doesn't make it easier!

So, if I ask you for a scan or to run steps you've already done, please bear with me!


Anyhoo, please do the following for me:

-- RUN the M$Malicious Software Removal Tool
- Then, please attach mrt.log found in the C:\Windows\Debug folder.

-- Using Bill James' RegSrch (as you did before), please have it search for the following one by one and attach the results:

siipinip9
siipinip
dcincode
_CHA1280
Cha1280
_CDFS
CDFS


ALSO:

Enter these one at a time into Pocket KillBox and click the red X each time to delete them:
C:\WINDOWS\system32\dcincode.exe
C:\WINDOWS\system32\drivers\siipinip9.sys

*Do they show up in blue when you do this? In other words, can KillBox find them?

Let me know how the above goes and if you ran into any trouble. Will check back when I can.

Best Luck
PP

 

Hello
Just so you know I could not run M$Malicious Software Removal Tool from the web site but I could download it and it ran just fine that way.

And with killbox dcincode.exe was found in blue, but not the other one.

 

the rest of the logs

 

Thanks! A LOT of good info there! That gives me much more to work with!
I will put some removal steps together for you.

With my work and social schedule today (TGIF!), I won't be able to post them until tomorrow afternoon or evening - Just to give you a "heads up" so you don't keep looking for them . . . .

BJ, however, may be able to post some in my absence using the info you obtained - Also, as I mentioned to BJ, I am not sure if this is part of the Apropos Kit or something else alltogether . . .


@BJ - If you do go ahead and post some steps, I would advise backing up the registry with a tool like ERUNT beforehand. I am not sure about that cdfs.sys - Will need further investigation!

PP

 

Hi Ofthedead,

Let's try this . . . .

-- Please download OfTheDead FIX.zip and Extract it to your Desktop.
- Open the OfTheDead Fix Folder and DoubleClick on deadfix.bat (with Gear icon) to run it.

THEN:
-- Reboot your compy
-- Then, run Rootkit Revealer and attach that log and we'll go from there.

Best Luck
PP

 

my new Rootkit Revealer log

 

That looks much better!

-- Just to be thorough . . .. swandog46 has updated aproposfix. Please delete your current copy and then download the new one (link is the same) and run it in Safe Mode as you did before. Please attach the resulting log as well as a fresh HijackThis Log.

-- Also, let us know how things are running now and whether you are still finding problems.
BJ will be jumping back into the thread to finish it out.

Best Luck
PP

 

My new logs

The computer has not crashed since I uninstalled MSAS.

Now I do not see HKEY_LOCAL_MACHINE\SOFTWARE\Aprps in my reg any more

But I can still see the file C:\WINDOWS\pqJol

 

Your logs look good, can you manually locate and delete that file? You should be able to locate, right click and delete it with no problem.

C:\WINDOWS\pqJol

Are you having any further problems?

 

Hi
I deleted that file and everything looks good.
Do you think I should reboot a few times just to make sure?

Do you think I should run ccleaner or any other scans ?

Now that it looks like all malware is gone should I disable system restore and reboot? And then re-enable system restore?

I have noticed that sometimes SG will not show up in the bottom right hand corner. And if I try to open it from its icon it will not. Normally if I reboot it will come back with out any problems. Don’t know why it does that?

And what should I do about MSAS. Do you think I should re install it or should I stick with SG.

And out of the list of free fire walls what do you think would be the most user friendly. I don’t want something that will constantly give me problems and warnings, but I would still like to be safer then the built in windows fire-wall. I also want something that will uninstall without problems (just in case I want to try something different)

 

You can just to be sure it's gone.

I would run CCleaner all the time to keep it clean of junk files.

Yes!

Not sure as I'm not familiar with this program.

Personally, I wouldn't because I don't like MSAS at all for many reasons but that's up to you.

Personally, I use ZoneAlarm, it does a great job and doesn't use many resources.

 

Hi
It looks like my computer is back to normal.
I would like to thank the 2 of you for all your help and for hanging in this long.

 

Your Welcome!

It took some digging but eventually we got it all, to stay clean and prevent this you should see this article on How to Protect yourself from malware!

Surf Safely!

 

Hi
I had one more question. When I was cleaning up all the stuff we put on my desktop I ran into something called (hurl.exe). It will not let me move it off of the desktop or delete it. It gives me a message “ cannot delete hurl: it is being used by another person or program”

Any help?