Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help: Computer Has Mysterious Virus


  • This topic is locked This topic is locked
29 replies to this topic

#1 mcomputer

mcomputer

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 04:21 PM

Someone please help. I uninstalled flash player but something weird is happening. I type "creed" for example into the yahoo browser and go to yahoo images. Then, some of the images yahoo displays are hijacked by some ads saying that it is scanning my computer for viruses, but it just looks like an animation. When I click properties on the animation, it says this: "http://82.98.235.72/banners/newbanner1/125x125.gif". Other times, the ads are porn-related, which is very distressing to my wife, since sometimes my son uses this computer as well. I have run adaware, super antispyware, and spybot, and have also run VundoFix and RogueRemover, and nothing seems to get rid of it.

Internet Explorer is also exhibiting a lot of other strange behaviours and appears to have been hijacked by a wild pack of animations and ads and bad things. Someone please help me figure out what this malware is and how to get rid of it. Thank you very much!!!!!

Michael

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:05 AM

Posted 15 March 2008 - 04:30 PM

Hi, welcome to Bleeping Computer. Before we go any further, could I ask for your system information (version, service pack, Internet Explorer version etc.) Please refer to this page.

This looks like the work of a rootkit, espicially consdering it was overlooked by the scans you listed. We will proceed to scan for rootkits after we confirm the compatibility of the tools with your computer.

#3 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 04:34 PM

its a Dell computer with windows XP. I have the service pack set to update automatically, so its the latest one. Internet explorer version 7. What is a rootkit? it sounds terrible.

#4 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 04:42 PM

i have also run the kapersky online scanner. its still running in the critical areas section but hasnt found any infected files or viruses yet. thank you for helping propaganda panda. by the way, there is a new movie coming out called kung fu panda. just saw the preview today.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:05 AM

Posted 15 March 2008 - 04:44 PM

Thank you for the info provided.

For some more info regarding rootkits, please see click the link in my above post.

We will now proceed with a rootkit scan.
  • Please download Rootkit Revealer and unzip the contents.
  • Run a scan with the application.
  • When the scan is complete, click File and Save, to save it.
  • Copy the contents of the log created into your next post.
The scan may take a while, so please be patient.

This scan will not alter your computer in any way.

Edited by PropagandaPanda, 15 March 2008 - 04:47 PM.


#6 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 04:51 PM

how can i tell when the root scan is complete? it still says "enumerating c:files" atht elower left of the window
michael

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:05 AM

Posted 15 March 2008 - 04:54 PM

I actually haven't used this tool in a while, so correct me if I'm wrong.

The scan is complete when the "Abort" option on the lower right-hand corner is gone.

#8 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 05:04 PM

look out below
here it is

HKLM\SECURITY\Policy\Secrets\SAC* 8/16/2005 1:01 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/16/2005 1:01 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 1/26/2008 4:58 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 6/9/2006 8:20 AM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 3/15/2008 5:45 PM 80 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\MICHAEL\Cookies\michael@a.answers[1].txt 3/15/2008 5:50 PM 456 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Cookies\michael@aggregateknowledge[2].txt 3/15/2008 5:50 PM 462 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Cookies\michael@anad.tacoda[1].txt 3/15/2008 5:50 PM 76 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Cookies\michael@answers[1].txt 3/15/2008 5:50 PM 476 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Cookies\michael@www.answers[2].txt 3/15/2008 5:50 PM 718 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temp\AVP6B7.tmp 3/15/2008 5:54 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temp\AVP6EC.tmp 3/15/2008 5:55 PM 217 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\MICHAEL\Local Settings\Temp\AVP6ED.tmp 3/15/2008 5:54 PM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\MICHAEL\Local Settings\Temp\AVP6EE.tmp 3/15/2008 5:55 PM 4.47 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\buy_now[1].jpg 3/15/2008 5:50 PM 2.44 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\csrc=2635;csrc=2291;csrc=1966;csrc=2750;csrc=1964;csrc=2597;csrc=2388;csrc=2474;csrc=2521;csrc=2695;csrc=2540;csrc=2767;csrc=2758;csrc=2086;csrc=2710;ord=2[1].h 3/15/2008 5:50 PM 29.31 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\dsdata[1].htm 3/15/2008 5:50 PM 36.82 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\errorPageStrings[1] 3/15/2008 5:52 PM 850 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\get[1].media 3/15/2008 5:50 PM 731 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\jargonFile[1].gif 3/15/2008 5:50 PM 1.42 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\link_icon[1].gif 3/15/2008 5:50 PM 1.11 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\topic_title_back[1].gif 3/15/2008 5:50 PM 160 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\3XUXY6FT\wg_08[1].gif 3/15/2008 5:50 PM 2.08 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\3030890[1].js 3/15/2008 5:50 PM 56.68 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\adServerESI[1].htm 3/15/2008 5:50 PM 20 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\aggregate_knowledge[1].css 3/15/2008 5:50 PM 775 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\backNav_explore[1].gif 3/15/2008 5:50 PM 1.59 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\bullet[1] 3/15/2008 5:43 PM 3.09 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\network_300x250_PRO2_static[1].jpg 3/15/2008 5:50 PM 22.07 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\picture57291[1].css 3/15/2008 5:50 PM 50.62 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\slf[1].js 3/15/2008 5:50 PM 9.75 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\tools_leftCorner[1].gif 3/15/2008 5:50 PM 90 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\topNav_blue[1].gif 3/15/2008 5:50 PM 328 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\45VM70SL\WDWAfford_ONDFY08_Sully58_JS_300x250[1].jpg 3/15/2008 5:50 PM 19.12 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\300x250[1].gif 3/15/2008 5:50 PM 34.72 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\9127775[1].js 3/15/2008 5:50 PM 3.18 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\aceUAC[1].js 3/13/2008 10:37 PM 8.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\csrc=2635;csrc=2291;csrc=1966;csrc=2750;csrc=1964;csrc=2597;csrc=2388;csrc=2474;csrc=2521;csrc=2695;csrc=2540;csrc=2767;csrc=2758;csrc=2086;csrc=2710;ord=2[1].h 3/15/2008 5:50 PM 29.43 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\down[1] 3/15/2008 5:52 PM 3.33 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\gray_bottomLeft[1].gif 3/15/2008 5:50 PM 70 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\gray_topLeft[1].gif 3/15/2008 5:50 PM 73 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\gray_topRight[1].gif 3/15/2008 5:50 PM 71 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\httpErrorPagesScripts[1] 3/15/2008 5:43 PM 7.40 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\index[4].htm 3/15/2008 5:51 PM 100.77 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\rss_feed_icon[1].gif 3/15/2008 5:50 PM 652 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\t213[1].css 3/15/2008 5:50 PM 7.65 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\93UAQIZP\wikipedia[1].gif 3/15/2008 5:50 PM 2.17 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\__utm[6].gif 3/15/2008 5:50 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\answers_print_style[1].css 3/15/2008 5:50 PM 2.60 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\backTaxonomyHeader2[1].gif 3/15/2008 5:50 PM 151 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\bullet[1] 3/15/2008 5:52 PM 3.09 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\CDE[1].gif 3/15/2008 5:50 PM 2.57 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\get[1].media 3/15/2008 5:50 PM 273 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\infocomsearch300[1].gif 3/15/2008 5:50 PM 5.29 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\infocomsearchbn[1].gif 3/15/2008 5:50 PM 784 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\969VYRHS\provided_by_shopping[1].gif 3/15/2008 5:50 PM 2.34 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\b_search[1].gif 3/15/2008 5:50 PM 2.25 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\csrc=2635;csrc=2291;csrc=1966;csrc=2750;csrc=1964;csrc=2597;csrc=2388;csrc=2474;csrc=2521;csrc=2695;csrc=2540;csrc=2767;csrc=2758;csrc=2086;csrc=2710;ord=2[1].h 3/15/2008 5:50 PM 29.47 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\dnserrordiagoff_webOC[1] 3/15/2008 5:52 PM 6.61 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\dot[3].gif 3/15/2008 5:50 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\dref=http%253A%252F%252Fwww.answers[1].com%252Frootkit%253Fnr%253D1%2526lsc%253Dtrue%2526cat%253Dtechnology 3/15/2008 5:50 PM 788 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\dsdata[1].htm 3/15/2008 5:50 PM 35.77 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\tools_div[1].gif 3/15/2008 5:50 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\Wellpoint_Empire_728x90_v2[1].jpg 3/15/2008 5:50 PM 24.98 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\BKI5SG67\wgw_03[1].gif 3/15/2008 5:50 PM 4.34 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\082489[1] 3/15/2008 5:50 PM 4.91 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\6a73536c534b396b3171566b526e6d5f397677-100x100-0-0[1].jpg 3/15/2008 5:50 PM 3.74 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\7222-56882-3611-2[1].htm 3/15/2008 5:50 PM 475 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\answersLogote[1].gif 3/15/2008 5:50 PM 2.95 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\background_gradient[1] 3/15/2008 5:52 PM 453 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\dref=http%253A%252F%252Fwww.answers[1].com%252Frootkit%253Fnr%253D1%2526lsc%253Dtrue%2526cat%253Dtechnology 3/15/2008 5:50 PM 600 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\errorPageStrings[1] 3/15/2008 5:43 PM 850 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\httpErrorPagesScripts[2] 3/15/2008 5:52 PM 7.40 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\index[2].gif 3/15/2008 5:52 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\mail_icon[1].gif 3/15/2008 5:50 PM 1.13 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\navcancl[1] 3/15/2008 5:52 PM 2.65 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\searcht177[1].gif 3/15/2008 5:50 PM 1.39 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E79ACL96\tools_rightCorner[1].gif 3/15/2008 5:50 PM 89 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\ads[4] 3/15/2008 5:50 PM 2.23 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\answ_utils27795[1].js 3/15/2008 5:50 PM 110.99 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\citation_button[1].gif 3/15/2008 5:50 PM 1.75 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\down[2] 3/15/2008 5:43 PM 3.33 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\faviconCA79C8NW.ico 3/15/2008 5:50 PM 1.12 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\gray_bottomRight[1].gif 3/15/2008 5:50 PM 71 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\gray_div[1].gif 3/15/2008 5:50 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\index[1].gif 3/15/2008 5:43 PM 43 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\rootkit[1].htm 3/15/2008 5:50 PM 105.21 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\wg_06[1].gif 3/15/2008 5:50 PM 204 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\wg_07[1].gif 3/15/2008 5:50 PM 313 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GP82HC2M\wg_16[1].gif 3/15/2008 5:50 PM 2.69 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\0%26gopid%3D768594%26%23entry768594;ce=1;je=1;sr=1152x864x32;dc=1204982546-58575679-8814068;dst=1;et=1205617835046;tzo=240;a=p-72V4-XKpaKDrE;tags=Answers[1].gif 3/15/2008 5:50 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\aceUAC[1].js 3/15/2008 5:50 PM 8.93 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\answers2[1].xml 3/15/2008 5:50 PM 352 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\answersToolbarScreen_small[1].gif 3/15/2008 5:50 PM 5.15 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\background_gradient[1] 3/15/2008 5:43 PM 453 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\backNav_blue[1].gif 3/15/2008 5:50 PM 76 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\csrc=2635;csrc=2291;csrc=1966;csrc=2750;csrc=1964;csrc=2597;csrc=2388;csrc=2474;csrc=2521;csrc=2695;csrc=2540;csrc=2767;csrc=2758;csrc=2086;csrc=2710;ord=2[1].h 3/15/2008 5:50 PM 29.31 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\get[1].media 3/15/2008 5:50 PM 697 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\JS[1].htm 3/15/2008 5:50 PM 313 bytes Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\print_icon[1].gif 3/15/2008 5:50 PM 1.19 KB Hidden from Windows API.
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SYWEOSZ9\wg_03[1].gif 3/15/2008 5:50 PM 2.24 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Plugins\RTFx\HfxXML\ HFX Filter.xml 12/7/1620 3:51 AM 509 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Plugins\RTFx\HfxXML\ HFX Transition.xml 12/7/1620 3:51 AM 539 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Plugins\RTFx\HfxXML\HFX Filter.xml 7/21/30046 6:36 PM 509 bytes Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Plugins\RTFx\HfxXML\HFX Transition.xml 7/21/30046 6:36 PM 539 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 3/15/2008 5:48 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.

#9 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 05:07 PM

and here is the result of the kaspersky report, which says i am infected, although it does not appear to offer a way to have their program delete the files

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 15, 2008 6:05:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/03/2008
Kaspersky Anti-Virus database records: 632031
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\MICHAEL\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 20287
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:28:36

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\KB892130.log Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{61A76BB3-6B60-46E4-9C19-2AF697E20EFC}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{846E4884-2648-4DC4-9E53-96D6286F2DFC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cckajggj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\SJLHXDB Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_DayeuJzaMTt0Hsn Object is locked skipped
C:\WINDOWS\Temp\mcafee_KblkAbhn0BOzxaA Object is locked skipped
C:\WINDOWS\Temp\mcmsc_fP74sDKQW4t7CbW Object is locked skipped
C:\WINDOWS\Temp\mcmsc_hVUe68q7QX6FtEY Object is locked skipped
C:\WINDOWS\Temp\mcmsc_JtJzvrtgzs6dAd8 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_WChurrfPAAFxSHI Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\MICHAEL\LOCALS~1\Temp\~DF57BE.tmp Object is locked skipped

Scan process completed.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:05 AM

Posted 15 March 2008 - 05:14 PM

You can start by clearing the temp files.
  • Start>Run>type "cmd"
  • Type "del %USERPROFILE%\LOCALS~1\Temp\*.*"
  • Hit return.
  • Type "del %WINDIR%\temp\*.*"
  • Hit return.
  • Exit the command prompt.
I can't seem to find that critical object in the WINDOWS folder, perhaps it was just a temp file. It is possible that this problem was caused by an object in the temp file. If the problem persists, please do not hesitate to ask more assistance.

Edited by PropagandaPanda, 15 March 2008 - 05:22 PM.


#11 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 05:25 PM

when i type that command at the c prompt, it says "system cannot find path specified". what directory do i need to be in to run it?

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:05 AM

Posted 15 March 2008 - 05:34 PM

You should be in c:, or your operating drive (with your desktop on it). To find out rightclick your start and select explore.

#13 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 05:43 PM

i tried running it in C:\ and it didnt work. So I read through the logs, and found a Temp directory at C:\Documents and Settings\MICHAEL\Local Settings\Temp. So I found my way to that directory at the command prompt and typed in "del *.*". It replied by saying that "the process cannot access the file since its in use by another process". Then it says there are still 4 files and 75 directories (!!!) left in there. Should I just go into windows explorer and delete them one by one? Please stay with me until this is fixed since its really killing my computer. Thank you so much. If we get this solved, i will make a donation to the site, if they accept them.

Michael

#14 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 05:46 PM

ok i went into windows explorer and was able to delete ALL the files and directories in that TEMP folder except for a single .TMP file that it wont let me delete since its in use by another program.

is it really plausible that the malware i have is sitting in a temp folder and not someplace worse like the registry?

#15 mcomputer

mcomputer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 March 2008 - 06:00 PM

i am still getting the hijacked ads everywhere, and the properties tab says :"http://82.98.235.72/banners/malware/125x125v2.gif"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users