Malware...My logs

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6781

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/5/2011 7:42:09 PM
mbam-log-2011-06-05 (19-42-09).txt

Scan type: Quick scan
Objects scanned: 231126
Time elapsed: 28 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Eric\local settings\Temp\ecsxmmm.exe (Trojan.Agent.Gen) → Quarantined and deleted successfully.
c:\documents and settings\Eric\local settings\Temp\hnylhbh.exe (Adware.Agent) → Quarantined and deleted successfully.
c:\documents and settings\Eric\local settings\Temp\kcfccbc.exe (Trojan.Downloader) → Quarantined and deleted successfully.
c:\documents and settings\Eric\local settings\Temp\out5sd.exe (Adware.Agent) → Quarantined and deleted successfully.
c:\WINDOWS\Poigntmt.dll (Trojan.Hiloti) → Quarantined and deleted successfully.

I am in need of help! Here’s my OTS log. So, now what?
Thanks!!

Now you wait for Essexboy. he is usually in here from 8:00pm - 11:59pm uk time

Hi there it would help if I knew what the problem is

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {9D425283-D487-4337-BAB6-AB8354A81457} [HKLM] -> C:\Program Files\Search Toolbar\SearchToolbar.dll [Search Toolbar]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{9D425283-D487-4337-BAB6-AB8354A81457}" [HKLM] -> C:\Program Files\Search Toolbar\SearchToolbar.dll [Search Toolbar]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> itlnfw32 -> 
YN -> itlntfy -> 
[Files/Folders - Created Within 30 Days]
NY ->  Search Toolbar -> C:\Program Files\Search Toolbar
[Files/Folders - Modified Within 30 Days]
NY ->  Ckosim.bin -> C:\WINDOWS\Ckosim.bin
NY ->  at6o162ssfx0wy76t1 -> C:\Documents and Settings\Angie\Local Settings\Application Data\at6o162ssfx0wy76t1
NY ->  at6o162ssfx0wy76t1 -> C:\Documents and Settings\All Users\Application Data\at6o162ssfx0wy76t1
NY ->  Qhixocital.dat -> C:\WINDOWS\Qhixocital.dat
NY ->  ~17424164r -> C:\Documents and Settings\All Users\Application Data\~17424164r
NY ->  ~17424164 -> C:\Documents and Settings\All Users\Application Data\~17424164
NY ->  17424164 -> C:\Documents and Settings\All Users\Application Data\17424164
NY ->  2990429331 -> C:\Documents and Settings\All Users\Application Data\2990429331
NY ->  iykead.sys -> C:\WINDOWS\System32\drivers\iykead.sys
[Files - No Company Name]
NY ->  ~17424164r -> C:\Documents and Settings\All Users\Application Data\~17424164r
NY ->  ~17424164 -> C:\Documents and Settings\All Users\Application Data\~17424164
NY ->  17424164 -> C:\Documents and Settings\All Users\Application Data\17424164
NY ->  at6o162ssfx0wy76t1 -> C:\Documents and Settings\Angie\Local Settings\Application Data\at6o162ssfx0wy76t1
NY ->  2990429331 -> C:\Documents and Settings\All Users\Application Data\2990429331
NY ->  Qhixocital.dat -> C:\WINDOWS\Qhixocital.dat
NY ->  Ckosim.bin -> C:\WINDOWS\Ckosim.bin
NY ->  at6o162ssfx0wy76t1 -> C:\Documents and Settings\All Users\Application Data\at6o162ssfx0wy76t1
NY ->  iykead.sys -> C:\WINDOWS\System32\drivers\iykead.sys
[File - Lop Check]
NY ->  Avg7 -> C:\Documents and Settings\All Users\Application Data\Avg7
NY ->  {00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} -> C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
NY ->  {429CAD59-35B1-4DBC-BB6D-1DB246563521} -> C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
NY ->  {755AC846-7372-4AC8-8550-C52491DAA8BD} -> C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
NY ->  {81D4BDA8-1F33-4633-B176-8A7E942ABDE1} -> C:\Documents and Settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
NY ->  {8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} -> C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

OK, I can’t say that I know exactly what’s going on. I’ve never had any problems like this. Malware is bad! So I stepped in to help on this problem and proceeded to get avast on the infected computer. When the boot scan didn’t fix things (all the files and programs are still missing), I followed your directions using the anti-malware program and OTS.
Messages from anti-malware are continually popping up blocking harmful sites. Avast keeps sending warnings and asking me to delete files too.
I just did your last fix and attached the log. I appreciate your help!

OK now I know what the infection is lets get to work properly

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Run RogueKiller again and this time select option 6

FINALLY

Run a fresh OTS scan

Thanks again.
I am posting the RogueKiller log you requested from a different computer while the infected one is now running option 6. I had no problems running it.

I wasn’t sure if you wanted them, but here are my other logs.

You should have the vast majority of your files and folders back now - lets see if we can recover the last two. Once completed let me know what problems remain

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Custom Items]
:files
attrib -H c:\*.* /s /d /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Things aren’t going so well. When I turned on the PC to do your latest fix everything appeared fine; my files were finally visible! After checking things out I noticed that my program folders in my start menu were almost all empty. Then things started running painfully slow, so very slow. I thought my computer had frozen. OTS wouldn’t start. Then Avast was popping up with malware messages, then the Anti-Malware program was giving messages too. I came back in 30 minutes and I was eventually able to open OTS. However, I didn’t open it in the Avast “sandbox.” Shortly after clicking “run fix,” a black C: prompt screen came up. (It read something like C:WINDOWS/system32/cmd.exe) Next the desktop flashed and all the desktop files were gone as well as the Window’s taskbar. Eventually the C: prompt went away. Now OTS seems to be frozen; the green bars have stopped moving. There’s a ‘windows-looking’ message that reads, “The system needs to reboot to finish removing files. Click Yes to reboot the system.” And there’s only a Yes button…
Avast continues to pop up, I haven’t been quick enough to read the messages, but one said something again about System32/SVChost.exe. So things are at a standstill now. I have no logs to share.
Thank you for your continued help!

Could you manually reboot please. OTS stopped all processes which is why the desktop disappeared

After the manual reboot a log came up. However, I am unable to attach it because it’s <400 KB.
I was worried when the odd windows warning came up because I think this may how things started. Something that looked like windows prompted the user to do something and then we proceeded to download this mess onto the PC.

if it is to large to attach then upload to Mediafire and post the sharing link.

Also what are your current problems ? All files and folders back ?

http://www.mediafire.com/?ziqgcz2oj01xucp

I’ll get right back to you on your questions. Thanks

Ok I can see why the fix took so long, there was over 500Mb of junk files and about 600 file attributes to reset ;D

The problems I listed earlier still exist.
My files seem to all have been restored; some of the names are in blue text and others in black. Most all of the program folders are empty. Adaware and Malwarebytes continue to pop-up with messages and ask me to delete files and so on.

OK phase two

Download Unhide.exe to your desktop and run

THEN

Download RogueKiller to your desktop

[]Quit all running programs
[
]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[
]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

-Still no programs. Here’s my log.

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Angie [Admin rights]
Mode: Scan – Date : 06/08/2011 18:47:03

Bad processes: 1
[SUSP PATH] SacNetAgent.exe – c:\documents and settings\all users\application data\clickfree\c2nplus\reminder\sacnetagent.exe → KILLED

Registry Entries: 0

HOSTS File:

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Run RogueKiller again and select option 2

Re-run RogueKiller and select option 6

Follow up with a fresh OTS scan please

More logs
Thanks