Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tr/qhost.aa Problem, Nothing Will Get Rid Of It!


  • Please log in to reply
2 replies to this topic

#1 jinx86

jinx86

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 28 February 2008 - 05:09 PM

Hey..

I was in mIRC, and stupidly clicked on a link and voila, I have a virus.

I followed all the instructions on this page: http://securitynewsfromthenet.blogspot.com...-combo-fix.html - to a T.

The virus is still kickin', and I managed to get a log with the SmitfraudFix. Not sure if this is the right place for this, as I'm thinking it's not a HijackThis log...but I don't know much, if anything about computers, viruses and the like, so I'm just hoping someone can help me :blink:

Here's the log. I'm not sure if I have to post the whole thing or not, but I will just in case. Thanks in advance for any help :thumbsup:

SmitFraudFix v2.298

Scan done at 15:57:41.95, Thu 02/28/2008
Run from C:\Documents and Settings\Princess Sarah\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\mssvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Princess Sarah


C:\Documents and Settings\Princess Sarah\Application Data


Start Menu


C:\DOCUME~1\PRINCE~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: ADMtek AN983 based ethernet adapter - Packet Scheduler Miniport
DNS Server Search Order: 64.71.255.198

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AC089A3F-6BBA-458F-84BA-9A01D9712DA0}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AC089A3F-6BBA-458F-84BA-9A01D9712DA0}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AC089A3F-6BBA-458F-84BA-9A01D9712DA0}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198


Scanning for wininet.dll infection


End

BC AdBot (Login to Remove)

 


#2 jinx86

jinx86
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 28 February 2008 - 05:21 PM

I should probably add that I get pop-ups periodically, as well as after every restart, trying to link me back to the page where I got the virus to begin with. It was something to do with counter-strike radio, but I can't remember now. When I get the pop-up again, I'll post what it says here.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 PM

Posted 17 March 2008 - 03:26 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users