Hacking tools, virus mess, read me & run me first completed

Discussion in 'Malware Help (A Specialist Will Reply)' started by wuvablepebbles, Sep 1, 2007.

  1. wuvablepebbles

    wuvablepebbles Private E-2

    I was slammed the other night for 45 minutes according to my antivirus while surfing the net. I'm at a loss for what to do as it looks like things are quite a mess.

    I followed the read & run me best I could. The only log I didn't recieve was the avg antispy (yes I did have the option to have a log for every scan) for some reason it wouldn't give me one. The result only showed a couple of cookies. This scan took over 6 hours so would like to not repeat it if possible. Any help is MUCH appriciated!

    Something to note: starting yesterday whenever I reboot a MSN core folder is now popping up after starting up. I have never seen this before. I'm also going to include a copy of my antivirus log from the 'attack'

    2007/08/30 22:00:35.375 File infection: C:\DOCUME~1\Chrissie\LOCALS~1\Temp\xrun.exe is Win32/Derowarb.N trojan. Deleted
    2007/08/30 22:00:35.546 File infection: C:\DOCUME~1\Chrissie\LOCALS~1\Temp\xrun.exe is Win32/Derowarb.N trojan.
    2007/08/30 22:00:35.578 File infection: C:\DOCUME~1\Chrissie\LOCALS~1\Temp\xrun.exe is Win32/Derowarb.N trojan.
    2007/08/30 22:00:35.656 File infection: C:\DOCUME~1\CHRISSIE\LOCALS~1\TEMP\XRUN.EXE is Win32/Derowarb.N trojan.
    2007/08/30 22:08:42.875 File infection: C:\Documents and Settings\Chrissie\Local Settings\Temporary Internet Files\Content.IE5\KTIBCLYB\is68089[1].exe is Win32/Chisyne.CH trojan. Deleted
    2007/08/30 22:08:42.937 File infection: C:\DOCUME~1\Chrissie\LOCALS~1\Temp\is68089.exe is Win32/Chisyne.CH trojan. Deleted
    2007/08/30 22:09:21.062 File infection: C:\WINDOWS\system32\drvr2\bbc002nws.exe is Win32/SillyDl.YQ trojan. Deleted
    2007/08/30 22:09:21.203 File infection: C:\WINDOWS\system32\drvr2\bbc002nws.exe is Win32/SillyDl.YQ trojan.
    2007/08/30 22:09:21.218 File infection: C:\WINDOWS\system32\drvr2\bbc002nws.exe is Win32/SillyDl.YQ trojan.
    2007/08/30 22:09:33.109 File infection: C:\Documents and Settings\Chrissie\Local Settings\Temporary Internet Files\Content.IE5\DVLIK9G3\tk58[1].exe is Win32/Zquest.E trojan. Deleted
    2007/08/30 22:09:33.171 File infection: C:\WINDOWS\tk58.exe is Win32/Zquest.E trojan. Deleted
    2007/08/30 22:09:33.203 File infection: C:\WINDOWS\tk58.exe is Win32/Zquest.E trojan.
    2007/08/30 22:09:33.218 File infection: C:\WINDOWS\tk58.exe is Win32/Zquest.E trojan.
    2007/08/30 22:09:33.546 File infection: C:\Documents and Settings\Chrissie\Local Settings\Temporary Internet Files\Content.IE5\OL6FWX2J\83122[1].exe is Win32/VMalum.AOM infection. Quarantined
    2007/08/30 22:09:33.609 File infection: C:\WINDOWS\83122.exe is Win32/VMalum.AOM infection. Quarantined
    2007/08/30 22:09:33.625 File infection: C:\WINDOWS\83122.exe is Win32/VMalum.AOM infection.
    2007/08/30 22:09:33.640 File infection: C:\WINDOWS\83122.exe is Win32/VMalum.AOM infection.
    2007/08/30 22:29:48.004 File infection: C:\Documents and Settings\Chrissie\Local Settings\Temporary Internet Files\Content.IE5\S7MZO9YV\goo[1].htm is VBS/MS06-014!exploit trojan. Deleted
    2007/08/30 22:29:48.520 File infection: C:\Documents and Settings\Chrissie\Local Settings\Temporary Internet Files\Content.IE5\S7MZO9YV\goo[1].htm is VBS/MS06-014!exploit trojan.
    2007/08/30 22:29:48.551 File infection: C:\Documents and Settings\Chrissie\Local Settings\Temporary Internet Files\Content.IE5\S7MZO9YV\goo[1].htm is VBS/MS06-014!exploit trojan.
    2007/08/30 22:37:06.786 File infection: C:\DOCUME~1\Chrissie\LOCALS~1\Temp\xrun.exe is Win32/Derowarb.N trojan. Deleted
    2007/08/30 22:45:42.020 File infection: C:\Documents and Settings\Chrissie\Local Settings\Temporary Internet Files\Content.IE5\CBGHIVKR\is68089[1].exe is Win32/Chisyne.CH trojan. Deleted
    2007/08/30 22:45:44.192 File infection: C:\DOCUME~1\Chrissie\LOCALS~1\Temp\is68089.exe is Win32/Chisyne.CH trojan. Deleted
     

    Attached Files:

    wuvablepebbles, Sep 1, 2007
    #1
  2. wuvablepebbles

    wuvablepebbles Private E-2

    Did the HijackThis according to step 7 of the read me and run me first
     

    Attached Files:

    wuvablepebbles, Sep 1, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm not really seeing any major issues. Let's cleanup some miscellaneous items and see where things stand. But first a question about some questionable folders.

    Tell me what you see in the below new folders
    Code:
    C:\WINDOWS\system32\
CAPCOM        Aug 30 2007              "capcom"
CFIG322       Aug 30 2007              "cfig322"
DRVR2         Aug 30 2007              "drvr2"
EN-US         Aug 31 2007              "en-US"
F02WTR        Aug 30 2007              "f02WtR"
    Delete the below large file wasting a load of diskspace:
    C:\54b.tmp


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [howyk] C:\Program Files\MSN Gaming Zone\howyk22011.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
    O4 - HKCU\..\Run: [Antwar_Setup.exe] "C:\DOWNLO~1\ANTWAR~1.EXE" /r
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Sep 1, 2007
    #3
  4. wuvablepebbles

    wuvablepebbles Private E-2

    Tell me what you see in the below new folders

    C:\WINDOWS\system32\
    CAPCOM Aug 30 2007 "capcom" ...EMPTY FOLDER
    CFIG322 Aug 30 2007 "cfig322"...icm33o.exe
    DRVR2 Aug 30 2007 "drvr2" ...EMPTY FOLDER
    EN-US Aug 31 2007 "en-US" ...WHOLE BUNCH of DLL.MUI files.. can list them all if you want.
    F02WTR Aug 30 2007 "f02WtR" ...EMPTY FOLDER
    -------------
    Delete the below large file wasting a load of diskspace:
    no problems...done
    -------------
    Run HijackThis (select Do a system scan only)
    No problems... done
    -------------
    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    No problems... done
    -------------
    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.

    No Problems... done
    ------------
    Make sure you tell me how things are working now!

    MSN folder didn't pop up :)
    What should i do about this find from Panda active scan... what exactly is it? I just want to make sure no one can hack my system.

    Hacktool:HackTool/KillProcWin.A Not disinfected
    C:\Documents and Settings\Chrissie\Local Settings\Application Data\Wildtangent\Cdacache\00\03\D0.dat[simple_killw.exe]
     
    wuvablepebbles, Sep 1, 2007
    #4
  5. wuvablepebbles

    wuvablepebbles Private E-2

    oops here's the files.. sorry about that
     

    Attached Files:

    wuvablepebbles, Sep 1, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete the below folders
    capcom
    CFIG322
    DRVR2
    F02WTR

    Just list the full filenames for about 3 or 4 of them.


    Do you play any of the WildTangent game junk? If not just delete the below folder:
    C:\Documents and Settings\Chrissie\Local Settings\Application Data\Wildtangent
     
    chaslang, Sep 1, 2007
    #6
  7. wuvablepebbles

    wuvablepebbles Private E-2

    deleted folders including wildtangent

    en-US folder example files:
    admparse.dll.mui
    extmgr.dll.mui
    html.iec.mui
    icardie.dll.mui
    ie4uinit.exe.mui
     
    wuvablepebbles, Sep 1, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that last folder is okay.

    You just have a few non-malware items we should fix. They are left overs from Symantec/Norton not properly uninstalling. Goto Add/Remove programs and uninstall the below:
    LiveUpdate 2.5 (Symantec Corporation)
    Norton WMI Update

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to SymWMI Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteSymWSC into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT and reboot when it tells you it needs to or even if it does not tell you.
    After reboot delete the below folder if found:
    C:\Program Files\Common Files\Symantec Shared

    Now attach new logs from ShowNew and HijackThis
     
    chaslang, Sep 1, 2007
    #8
  9. wuvablepebbles

    wuvablepebbles Private E-2

    SymWmi is not on the list
     
    wuvablepebbles, Sep 1, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just continue on to the next step with HijackThis and then the rest.
     
    chaslang, Sep 2, 2007
    #10
  11. wuvablepebbles

    wuvablepebbles Private E-2

    Sorry about delay on this.

    P.S. just as side note did a little maintence since there seems to be no more malware.. just removed some old kiddie games and movies and defraged
     

    Attached Files:

    wuvablepebbles, Sep 4, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Sep 4, 2007
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds