Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antikeymagic_v4_18_beta


  • This topic is locked This topic is locked
4 replies to this topic

#1 niko86

niko86

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 15 July 2007 - 06:10 PM

with the help of this little proggy : Antikeymagic_v4_18_Beta i found several things on my computer, i have no idea what it is:

1st scan:
AppInit DLLs startup infection deleted! and newly written!
Madshi Injection Driver (Api-Hooker) root tried to remove! (registry heuristic)
Rootkit.Oreans32 rootkit root tried to remove! Eventually only manually extinguishable!

2nd scan:
Windows Appinit DLL startup infection!c:\windows\system32\mljjhhf.dll (registry heuristic)
Madshi Injection Driver (Api-Hooker) root legacy unmasked! (registry heuristic)
Rootkit.Oreans32 rootkit root legacy tracked down! (registry)

well, this is the log-file of the last scan..

there is more to say: for some strange reason there are files like tmp6B.tmp.exe im my C:\Dokumente und Einstellungen\DonKapone\Anwendungsdaten (my user name is donkapone). i have no idea, those files are not removebal(i hope it is the right word).

more to say: my ie-browser starts itself.. and it is nwo in my mozilla firefox2, too:

http://www.<redirect><.com/?cmp=dn3_fixersff_kw&nid=el&guid={guid}&url={url}&affid={aff}&lid={kws}%3E]http://www.<redirect><.com/?cmp=d...mp;lid={kws}%3E

mm, help? Oo...

Edited by niko86, 15 July 2007 - 06:14 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:14 PM

Posted 15 July 2007 - 07:18 PM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
--------------------------------------------------------------------------------

How To start Windows in Safe Mode
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 niko86

niko86
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 16 July 2007 - 05:29 PM

ok, done.
SAS couldnt destroy this strange qwerty12.exe (it was the last message ive got in SAS)

here is HiJack-This Log-File

edit:

i still get this site in my poor Firefox2:

http://drivecleaner.com/.freeware/index.php?aid=ffd3_el_fixersff_kw_mtrt&lid=%3E&affid=ffd3_67697__{6040884f-39c0-4d29-b574-91331b16a3aa}&rff=&p=37&a=1&ed=2&ex=1&hv=10

2nd edit:
this is what i see on this site(it opened and ive seen it):

now = new Date(); offset = now.getTimezoneOffset()/60; expire = new Date(now.getTime() + 1000 * 60 * 60 * 24 * 30); z = -(offset); function setCookie(cookieName, cookieValue, expires, path, domain, secure) { document.cookie = escape(cookieName) + '=' + escape(cookieValue) + (expires ? '; EXPIRES=' + expires.toGMTString() : '') + (path ? '; PATH=' + path : '') + (domain ? '; DOMAIN=' + domain : '') + (secure ? '; SECURE' : ''); } setCookie("z", z, expire, "/"); document.location.replace('/.freeware/inde


and THIS is what ive got after i wanted to see the site code(ctrl+v in firefox):

<html>
<head>
<title></title>
<script>
now = new Date();
offset = now.getTimezoneOffset()/60;
expire = new Date(now.getTime() + 1000 * 60 * 60 * 24 * 30);
z = -(offset);
function setCookie(cookieName, cookieValue, expires, path, domain, secure) {
	document.cookie = escape(cookieName) + '=' + escape(cookieValue)
		+ (expires ? '; EXPIRES=' + expires.toGMTString() : '')
		+ (path ? '; PATH=' + path : '')
		+ (domain ? '; DOMAIN=' + domain : '')
		+ (secure ? '; SECURE' : '');
}
setCookie("z", z, expire, "/");
document.location.replace('/.freeware/index.php?aid=ffd3_el_fixersff_kw_mtrt&lid=%3E&affid=ffd3_67697__{6040884f-39c0-4d29-b574-91331b16a3aa}&rff=&p=37&a=1&ed=2&ex=1&hv=10&z='+z);
</script>
<noscript>
<meta http-equiv="Refresh" content="0; URL=/.freeware/index.php?aid=ffd3_el_fixersff_kw_mtrt&lid=%3E&affid=ffd3_67697__{6040884f-39c0-4d29-b574-91331b16a3aa}&rff=&p=37&a=1&ed=2&ex=1&hv=10&z=undefined"> 
</noscript>
</head>
<frameset>
	<frame src="/.freeware/index.php?aid=ffd3_el_fixersff_kw_mtrt&lid=%3E&affid=ffd3_67697__{6040884f-39c0-4d29-b574-9133


i thought it could be helpful, you are pros and you need every bit of information. still i think it is not complete.

Edited by niko86, 16 July 2007 - 05:34 PM.


#4 niko86

niko86
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 16 July 2007 - 05:56 PM

OMFG!!!!! there are strange things happening on my computer.. im not crazy, but im hearing sounds like a photo was made, thic *clicksh*.. every.. 10 seconds?! Oo.... omg, im scarried about my pc...

#5 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:07:14 PM

Posted 16 July 2007 - 11:46 PM

niko86,

Since you have an open HJT log posted in the HijackThis Logs and Analysis forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users