Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Internet Explorer Menu


  • This topic is locked This topic is locked
14 replies to this topic

#1 Empty Agenda

Empty Agenda

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 25 September 2006 - 02:28 AM

Hey guys,
I can't see the menu in my internet explorer, but it's still there, only without the texts ( file, edit ... ). And pressing alt+F would show the file drop-down menu. I tried a lot of things, I uninstalled then installed it, tried spybot, ad-aware. And when I tried to browse bleepingcomputer, it only opened the index page. It didn't open any internal link of the website. So I got firefox, and now I'm using it to write this.
And since this happened, I have been getting a lot of "not responding" errors, causing me to restart.

hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:09 AM, on 9/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\RbtProt\sgsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Salim-G\Desktop\HijackThis.exe

O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20004\924871.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DAEE80E-C25A-4F53-B295-D306E4D33744}: NameServer = 62.84.64.3 62.84.71.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DAEE80E-C25A-4F53-B295-D306E4D33744}: NameServer = 62.84.64.3 62.84.71.3
O20 - Winlogon Notify: ppts16 - C:\WINDOWS\SYSTEM32\ppts16.dll
O21 - SSODL: IEFilter - {D8C3ABEF-1E4F-4ABD-88ED-4CED777A7C54} - C:\WINDOWS\system32\IEFilter.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\System32\3339_32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoftGuard Service (SG_Service) - Unknown owner - C:\Program Files\Common Files\RbtProt\sgsrv.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:27 PM

Posted 27 September 2006 - 07:30 AM

Hello,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

So I want you to perform some things first, because it doesn't make any sense that we try to clean up your system if nothing is preventing your system from malware being installed again.

I see no antivirus and firewall installed on your system, and I also see that your windows isn't up to date. :thumbsup:

You don't have even ServicePack1 installed! Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems... and that is the reason why you are now infected, because, when your windows was up to date, the securitypatches could prevent this.

So, what I want you to do right now is, please update your windows to SP1.
We'll get SP2 later when your system is clean again.
Visit http://windowsupdate.microsoft.com/ to update.

REBOOT afterwards.

When done, install an antivirus and firewall.

Avira, AVG OR Avast OR Active Virus Shield? (uncheck the Security Toolbar during install)
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!
Zonealarm, Kerio OR Sygate are FREE firewalls.

Understanding and using firewalls

Update your antivirus and let it perform a full scan.
REBOOT afterwards and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Empty Agenda

Empty Agenda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 28 September 2006 - 08:42 AM

I actually updated my windows to sp1 a year ago, I don't know why it wasn't configuerd to you. I was using Spyware Blaster as a firewall, but I had it disabled, cause I heard it's not effective. I got Avg and Ewido, fully updated. I will get Zonealarm soon, after removing spywareblaster, and ewido's sheild.
I attempted a few online scans that I couldn't complete, but from the HJT log, you can see they're still configured, even after reboots.
I feel my system is a bit better now after the avg scan, which unsurprisingly came across numerous viruses.
New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:16 PM, on 9/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\RbtProt\sgsrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Salim-G\Desktop\HijackThis.exe

O2 - BHO: C:\WINDOWS\System32\150AE6.dll - {8A5875B5-93F3-429D-FF34-660B206D897C} - C:\WINDOWS\System32\150AE6.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DAEE80E-C25A-4F53-B295-D306E4D33744}: NameServer = 62.84.64.3 62.84.71.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DAEE80E-C25A-4F53-B295-D306E4D33744}: NameServer = 62.84.64.3 62.84.71.3
O20 - Winlogon Notify: ppts16 - C:\WINDOWS\SYSTEM32\ppts16.dll
O21 - SSODL: IEFilter - {D8C3ABEF-1E4F-4ABD-88ED-4CED777A7C54} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\System32\3339_32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe
O23 - Service: SoftGuard Service (SG_Service) - Unknown owner - C:\Program Files\Common Files\RbtProt\sgsrv.exe



I actually updated my windows to sp1 a year ago, I don't know why it wasn't configuerd to you. I was using Spyware Blaster as a firewall, but I had it disabled, cause I heard it's not effective. I got Avg and Ewido, fully updated. I will get Zonealarm soon, after removing spywareblaster, and ewido's sheild.
I attempted a few online scans that I couldn't complete, but from the HJT log, you can see they're still configured, even after reboots.
I feel my system is a bit better now after the avg scan, which unsurprisingly came across numerous viruses.
New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:16 PM, on 9/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\RbtProt\sgsrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Salim-G\Desktop\HijackThis.exe

O2 - BHO: C:\WINDOWS\System32\150AE6.dll - {8A5875B5-93F3-429D-FF34-660B206D897C} - C:\WINDOWS\System32\150AE6.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DAEE80E-C25A-4F53-B295-D306E4D33744}: NameServer = 62.84.64.3 62.84.71.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DAEE80E-C25A-4F53-B295-D306E4D33744}: NameServer = 62.84.64.3 62.84.71.3
O20 - Winlogon Notify: ppts16 - C:\WINDOWS\SYSTEM32\ppts16.dll
O21 - SSODL: IEFilter - {D8C3ABEF-1E4F-4ABD-88ED-4CED777A7C54} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\System32\3339_32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe
O23 - Service: SoftGuard Service (SG_Service) - Unknown owner - C:\Program Files\Common Files\RbtProt\sgsrv.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:27 PM

Posted 28 September 2006 - 08:57 AM

Hello,

I was using Spyware Blaster as a firewall, but I had it disabled, cause I heard it's not effective

Ehm... Not sure who told you that Spywareblaster is a firewall, because it isn't. Spywareblaster blocks malicious activeX. It is no firewall.

I actually updated my windows to sp1 a year ago

Well, it looks like this update didn't work anyway, because your log still shows XP without SP1 in it.
So, extra question I want you to ask... is this a legal version of XP?

Anyway, let's get rid of haxdoor first and then we deal with all the other backdoors present on your computer.
One important thing you should know first - these backdoors you are dealing with collected all your passwords, so your passwords are known. Don't change them now, because as long as your system is infected, they will get your new passwords as well -- but this is just a reminder, because I may forget to tell you this afterwards - once we cleaned this up, I want you to change all passwords.

Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open.
Copy the contents of that logfile and paste it into this thread.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Empty Agenda

Empty Agenda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 28 September 2006 - 12:58 PM

Hello,

I really thought I had a clue...


So, extra question I want you to ask... is this a legal version of XP?



No... It's not a legal version. I got an illegal copy (which is a pretty legal thing to do in my country Lebanon). Unfortunately I'm not registered at Microsoft.
This might sound dumb, but isn't it possible that the SP1 upgrade is doing its effect, only the log doesn't show it?

HAXFIX logfile - by Marckie
______________
version 4.20.1
Thu 09/28/2006 20:53:07.23

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
ppts

checking for matching services....
matching services found
ppts16
ppts24

checking for matching safeboot services....
matching safeboot services found
ppts16.sys
ppts24.sys

checking for other haxdoorfiles....


Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....


Finished

Edited by Empty Agenda, 28 September 2006 - 12:59 PM.


#6 Empty Agenda

Empty Agenda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 28 September 2006 - 01:03 PM

And I got to ask, when I'm done, should I change my passwords on the web too? And is it also necessary for other users using this computer?

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:27 PM

Posted 28 September 2006 - 01:09 PM

Hi,

When an illegal version of windows, you won't be able to update anyway, leaving you with an unpatched system.. wideopen for infection.. and especially with these types of malware present, it will always come back.

should I change my passwords on the web too? And is it also necessary for other users using this computer?

Yes, because as I said, passwords are collected, whether these are yours or from someone else.

Open this folder program files\haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot.

Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
After reboot a logfile will open.
Post the contents of that logfile along with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:27 PM

Posted 28 September 2006 - 01:26 PM

This actually made me think -- because since you have an illegal version of Windows, it changes my point of view here...

As I already said before - you have to understand that we will not be able to fix all your problems, because you have some really nasty infections present there.
That's why, in such cases.. especially since this is an illegal version, unpatched and wideopen to infection and reinfection, I rather recommend to format and reinstall windows. This is the fastest and especially the safest solution. Because your system is badly compromised anyway - and when unpatched... ugh..

Start from fresh and install a Firewall and Antivirus before you connect to the internet (leave your internet cable plugged out during windows install). This may prevent the malware reinstalling again.
Otherwise we will just bring water to the sea when manually trying to clean this.
If you had a legal version, I would have give it a try, but illegal and unpatched... no, it will come back anyway.
A fresh install, even when installing an illegal version again, will be a lot better than manually cleaning this up, since no malware will be present from the start. But, keep in mind, as long as you can't update, your system stays vulnerable and wideopen for reinfection, even with the best firewall and antivirus installed.

So the choice is yours... if you want to clean this up manually, don't be suprised it will be back again. Don't be suprised issues will still be present which we cannot always fix.
Illegal software - it's for free, (not always though), but problems will always appear. That's why, get legal software instead and you'll have less problems.

Edited by miekiemoes, 28 September 2006 - 01:30 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Empty Agenda

Empty Agenda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 29 September 2006 - 03:54 AM

I usually format my HD every year or so, I was hoping I can avoid it this time. But oh well, that's the price you've got to pay for illegal versions.
Thanks a lot anyways, I'll fill my next installation with security softwares, just like you adviced.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:27 PM

Posted 29 September 2006 - 04:02 AM

that's the price you've got to pay for illegal versions.


Exactly - no real advantages when using illegal versions.

Just make sure, before you format and reinstall, you already burn the installer of an antivirus and Firewall onto cd or usb stick, because during reinstall I recommend you unplug your internet cable and only plug it back in after you installed firewall and Antivirus. Otherwise you'll be infected again right after reinstall of Windows.

Also read in my signature how to prevent this in the future :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Empty Agenda

Empty Agenda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 29 September 2006 - 08:00 AM

I'll keep the softwares on the my slave disk (D). But could this disk be infected, I never installed anything on it? I have a dial-up connection, so no worries about being infected during intallation since it'll be disconnected. Thanks a lot for the help :thumbsup: , I'm checking your sig now.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:27 PM

Posted 29 September 2006 - 08:28 AM

No, don't think the slave disk will be infected. :thumbsup:

Anyway, success with the format and reinstall. It will run a LOT smoother afterwards :D
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Empty Agenda

Empty Agenda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 29 September 2006 - 11:17 AM

Thanks :thumbsup:

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:27 PM

Posted 29 September 2006 - 11:36 AM

You're welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:27 PM

Posted 02 October 2006 - 04:24 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users