Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Used A Warez Site, Infected To Hell, Not Reformatting


  • Please log in to reply
3 replies to this topic

#1 BenRS

BenRS

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 27 February 2006 - 09:35 PM

I recently stumbled upon a warez site in search of some information about a couple programs, and almost instantly I seemed to be infected with numerous nuisances.

The worst one is a program that seems to generate dialers in the form of win(variables).tmp.exe, getting multiple ones there that regenerate after being deleted and pop up annoying ActiveX control can not be used messages every minute or two.

There are other ones too, and they are all very resistant; I have used Adaware, Spybot, AVG, Panda, Windows Defender, and spyware doctor (don't have it registered, use it to detect threats and then manually remove the files/reg keys). Every time I make progress, it is negated usually before I even reboot.

After working on said for several hours in safemode with HJT and the latter programs, I have gotten most of the easily removable viruses out, but the following respawn and I haven't been able to kill them. I'm listing the viruses now with as much info as I've gathered about them.

I would reformatt, but I really don't want to since I don't have all of my driver discs and don't have my winXP disc with me on campus.

Please help :D.

Dialer.AXJ:

Makes following files-
content.ie5\QS3AVBKQ\srvbin4[1].exe
windows\temp\winxy.tmp.exe

Following Processes-
winxy.tmp.exe

Makes a windows notice box about how an activex control failed to work (I think something is blocking it's function).

Rbot.fu:

Makes registry entries-
HKLM\Software\Microsoft\MSSMGR (note: folder with several values)

When I try to delete these values, they regenerate relatively quickly.

SpywareStrike:

Adware that Panda protection finds and neutralizes every several minutes.
Note- Used SmitRem stuff to remove this, keeps comming back.

Purityscan:

Adware. Found it with Panda, not quite sure what all it does but it doesn't seem to go away.

SexList:

Found it on Spybot SD, seems to find it every time I run SBSD.

Zolob:

Not sure what it does either, but it seems to re-appear every time I scan with windows defender.

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:25 PM

Posted 27 February 2006 - 11:13 PM

You should not try to fix anything with HJT, unless you have been properly trained in it's use.
HJT is a tool used to locate "problems".
The removal of these "problems" is sometimes much more involved, than just having HJT fix it.
The improper use of HJT could also cause damage to your system.

I suggest you post a HJT log for our Team to examine.
They'll take you through the fix, step by step.

Read How to post a HijackThis Log.
Please read, and follow, all directions carefully.

Then, run a log, and post it in the HJT forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, these people are volunteers. They will help you out, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 BenRS

BenRS
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 27 February 2006 - 11:25 PM

Thanks for the help, posted a log, don't worry about prior HJT usage, I have exp with it.

Thanks again for the post.

#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:07:25 PM

Posted 28 February 2006 - 12:49 AM

Let us let the HJT team do their magic without interfering here in this thread or working at cross-purposes with their instructions.
Regards,
John
Forum Moderator
Whereof one cannot speak, thereof one should be silent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users