Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-spy.win32.greenscreen


  • Please log in to reply
106 replies to this topic

#1 smacki25

smacki25

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 08:19 AM

1

Edited by smacki25, 15 September 2008 - 05:46 AM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:34 AM

Posted 14 September 2008 - 09:37 AM

Hello smacki25

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 09:43 AM

2

Edited by smacki25, 15 September 2008 - 05:46 AM.


#4 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 09:48 AM

3

Edited by smacki25, 15 September 2008 - 05:47 AM.


#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:34 AM

Posted 14 September 2008 - 09:53 AM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\smp
    C:\WINDOWS\mslagent
    C:\Program Files\Inet Delivery
    C:\Program Files\akl
    C:\WINDOWS\zipped.tmp
    C:\WINDOWS\zip3.tmp
    C:\WINDOWS\zip2.tmp
    C:\WINDOWS\zip1.tmp
    C:\WINDOWS\winsystem.exe
    C:\WINDOWS\userconfig9x.dll
    C:\WINDOWS\system32\WINWGPX.EXE
    C:\WINDOWS\system32\winsystem.exe
    C:\WINDOWS\system32\winlogonpc.exe
    C:\WINDOWS\system32\vcatchpi.dll
    C:\WINDOWS\system32\vbsys2.dll
    C:\WINDOWS\system32\thun32.dll
    C:\WINDOWS\system32\thun.dll
    C:\WINDOWS\system32\temp#01.exe
    C:\WINDOWS\system32\taack.exe
    C:\WINDOWS\system32\sysreq.exe
    C:\WINDOWS\system32\ssvchost.exe
    C:\WINDOWS\system32\ssvchost.com
    C:\WINDOWS\system32\ssurf022.dll
    C:\WINDOWS\system32\sncntr.exe
    C:\WINDOWS\system32\Rundl1.exe
    C:\WINDOWS\system32\regm64.dll
    C:\WINDOWS\system32\regc64.dll
    C:\WINDOWS\system32\psoft1.exe
    C:\WINDOWS\system32\psof1.exe
    C:\WINDOWS\system32\ps1.exe
    C:\WINDOWS\system32\newsd32.exe
    C:\WINDOWS\system32\netode.exe
    C:\WINDOWS\system32\mwin32.exe
    C:\WINDOWS\system32\mtr2.exe
    C:\WINDOWS\system32\msvchost.exe
    C:\WINDOWS\system32\mssecu.exe
    C:\WINDOWS\system32\msnbho.dll
    C:\WINDOWS\system32\msgp.exe
    C:\WINDOWS\system32\medup020.dll
    C:\WINDOWS\system32\medup012.dll
    C:\WINDOWS\system32\hxiwlgpm.exe
    C:\WINDOWS\system32\hoproxy.dll
    C:\WINDOWS\system32\h@tkeysh@@k.dll
    C:\WINDOWS\system32\emesx.dll
    C:\WINDOWS\system32\dpcproxy.exe
    C:\WINDOWS\system32\bsva-egihsg52.exe
    C:\WINDOWS\system32\bdn.com
    C:\WINDOWS\system32\awtoolb.dll
    C:\WINDOWS\system32\anticipator.dll
    C:\WINDOWS\system32\akttzn.exe
    C:\WINDOWS\mssecu.exe
    C:\WINDOWS\iTunesMusic.exe
    C:\WINDOWS\FVProtect.exe
    C:\WINDOWS\bdn.com
    C:\WINDOWS\base64.tmp
    C:\WINDOWS\a.bat
    C:\Documents and Settings\All Users\Application Data\gpwxyngb
    C:\Program Files\dhotvxd
    C:\Documents and Settings\All Users\Application Data\exkhqhep
    C:\WINDOWS\system32\qbixshkj.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====================
PLease post these logs in your next reply:
  • Ot Move it log
  • Malware BYtes log
  • New Rsit log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 10:09 AM

4

Edited by smacki25, 15 September 2008 - 05:47 AM.


#7 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 10:11 AM

A

Edited by smacki25, 15 September 2008 - 05:47 AM.


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:34 AM

Posted 14 September 2008 - 10:18 AM

Hi can you post a new Rsit log please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 10:23 AM

B

Edited by smacki25, 15 September 2008 - 05:47 AM.


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:34 AM

Posted 14 September 2008 - 10:25 AM

That would be the first tool I had you download.
It is a greyish icon and it says Rsit underneath it.
It should be on your desktop.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 10:29 AM

C

Edited by smacki25, 15 September 2008 - 05:48 AM.


#12 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 10:54 AM

D

Edited by smacki25, 15 September 2008 - 05:48 AM.


#13 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 11:06 AM

4

Edited by smacki25, 15 September 2008 - 05:48 AM.


#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:34 AM

Posted 14 September 2008 - 12:48 PM

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_CLASSES_ROOT\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cfgutilsh"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\drivers\svchost.exe"=-
Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
Reboot for the changes to take place and post one more Rsit log and let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 smacki25

smacki25
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 September 2008 - 02:12 PM

3

Edited by smacki25, 15 September 2008 - 05:49 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users