My Hijack This logfile [P]

[KSoD]

Re: My Hijack This logfile

Hello Thief12,

Step1 | Kaspersky Webscanner

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Step2 | MBAMe

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs needed in next post:

Kaspersky Webscanner
MBAM

Regards,
Mak

 

[Thief12]

Kaspersky/MBAM

Sorry for my late replay but I had almost no time to deal with the computer these past two days. Anyway, last night I started doing the Kaspersky Web Scanning, and after 5 hours (12:00) I decided to leave it running and go to sleep. At that time, at 70% scanned, it hadn't found anything. Anyway, this morning, my wife accidentally turned off the computer so I don't know how the scanning finished. She started a scan to the Critical areas alone, and it found this...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 22, 2008 12:55:24
Records in database: 880196
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Jessenia Pagán\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 39399
Threat name: 5
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 00:51:31


File name / Threat name / Threats count
C:\WINDOWS\system32\ddram.exe Infected: not-a-virus:NetTool.Win32.Sniffer.c 1
C:\WINDOWS\system32\ddram.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 2
C:\WINDOWS\system32\ddram.exe Infected: not-a-virusSWTool.Win32.PassView.162 1
C:\WINDOWS\system32\ddram.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1
C:\WINDOWS\system32\dk\lam2.exe Infected: not-a-virus:NetTool.Win32.Sniffer.c 1
C:\WINDOWS\system32\dk\lam3.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\WINDOWS\system32\dk\lam5.exe Infected: not-a-virusSWTool.Win32.PassView.162 1
C:\WINDOWS\system32\wmipst.exe Infected: Backdoor.Win32.Bifrose.pqk 1

The selected area was scanned.

 

[Thief12]

Mbam

I just finished doing the MBAM scanning also...

Malwarebytes' Anti-Malware 1.18
Database version: 876

11:13:53 AM 6/22/2008
mbam-log-6-22-2008 (11-13-53).txt

Scan type: Quick Scan
Objects scanned: 45856
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

 

[techpro5238]

Re: My Hijack This logfile

Step1 | ComboFix Script

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\ddram.exe

Folder::
C:\WINDOWS\system32\dk

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2 | ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Logs Required In Next Post
-------------------------------

ComboFix (CFScript) Log
New Hijackthis Log