Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im Getting Owned, Dont Know Type Of Infection


  • Please log in to reply
19 replies to this topic

#1 scotty12

scotty12

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 08 January 2007 - 10:08 PM

i'm fairly computer savvy, and i can usually fix problems on my own but this is somethin else. i ran all the usual programs, spybot, adaware, panda etc etc. nothing.

bah!

heres my log, hopefully somebody can help me.

Logfile of HijackThis v1.99.1
Scan saved at 7:47:17 PM, on 1/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wlmsngr.exe
C:\WINDOWS\System32\msasvc.exe
c:\pqjsikt.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\autosys.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\kernels1118.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Steam\Steam.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\scott\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\System32\imtqodk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\System32\autosys.exe
O4 - HKLM\..\Run: [wdokbye.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels1118.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe



thanks!

BC AdBot (Login to Remove)

 


#2 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:12:40 AM

Posted 08 January 2007 - 11:44 PM

Hello scotty12 and Welcome To BleepingComputer!

I am logreeval and will be helping you clean your computer :thumbsup:

There are a few malware infections present, it will take more than a post to clean up, so please bear with me and we will get your computer running like new :flowers:

You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder
1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

2. Download HijackThis to the new folder:

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

4. Close ALL windows except HJT

5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')
Please make sure you post the entire log including the top portion:

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

====================

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

====================

Next Post:
1)Fresh HijackThis Log
2)Uninstall List

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#3 scotty12

scotty12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 09 January 2007 - 04:25 AM

sorry about that, didnt know running hijackthis out of an archive would effect its performance. here's what you asked for.

a side note, i ran another program recommended by a friend. its called prevx1. i hope this is not one of those "spyware scanners" that turn out to be more malware. it seems to have done the trick?

Logfile of HijackThis v1.99.1
Scan saved at 2:21:16 AM, on 1/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Steam\Steam.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\scott\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\System32\imtqodk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\System32\autosys.exe
O4 - HKLM\..\Run: [wdokbye.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe (file missing)


Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
ANIO Service
ANIWZCS2 Service
ATI Display Driver (Omega 3.8.252)
BitComet 0.79
Cliprex DS DVD Player
ffdshow (remove only)
HijackThis 1.99.1
HWiNFO32 Version 1.71
Mozilla Firefox (2.0.0.1)
MultiRes (remove only)
My Global Search Bar
Prevx1
Radeon Omega Drivers v3.8.252 Setup Files and Tools
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shareaza version 2.2.3.0
Spybot - Search & Destroy 1.4
Starcraft
Steam
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VideoLAN VLC media player 0.8.6
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486


there you have it. thanks for the quick response.
edit: i know you guys don't like bumping, so i just edited. i tried doing my own analysis of the log and the bolded lines are what i think could be problems. more for fun then anything :thumbsup: . also my C drive has 6 application files sitting in it. they are named with random letters and have no extension that i can see. hope any of that helps!

scotty

Edited by scotty12, 09 January 2007 - 04:20 PM.


#4 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:12:40 AM

Posted 10 January 2007 - 10:16 AM

Hi again. :flowers:

edit: i know you guys don't like bumping, so i just edited. i tried doing my own analysis of the log and the bolded lines are what i think could be problems. more for fun then anything :thumbsup:

Its fine to reply to your own log :huh:...You identified pretty good, missed a couple. If that was fun to you, I might suggest learning to fight malware! See here... http://www.bleepingcomputer.com/forums/t/4970/help-wanted/

also my C drive has 6 application files sitting in it. they are named with random letters and have no extension that i can see.

I am sure they are fine, if AVG Anti-Spyware did not pick them up. My computer has about 10 random looking files in the C: Drive.

You had a backdoor infection which can record and send keystrokes including passwords and confidential bank information. Once you are clean (or from a clean computer), I strongly recommend you change all your online passwords, especially related to online banking.

====================

Please download SmitfraudFix (by S!Ri) to your Desktop.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

====================

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe (file missing)
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\System32\autosys.exe
O4 - HKLM\..\Run: [wdokbye.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\wdokbye.dll",bpzgoi
O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\System32\imtqodk.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

My Global Search Bar

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\MyGlobalSearch

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Documents and Settings\LocalService\Local Settings\Application Data\wdokbye.dll
C:\WINDOWS\System32\autosys.exe


After that, Reboot.

====================

Next reply:
1)Fresh HijackThis log
2)SmitfraudFix log

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#5 scotty12

scotty12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 10 January 2007 - 02:56 PM

unfortunately safe mode is not an option for me. the keyboard i use doesnt work before windows has loaded. whoever made this piece of junk was a genious.

im going to try it just normally. if safe mode was just a precaution against damaging my system, to be honest, im not too concerned. if worst comes to worst i can just reformat.

ill go through your steps (skipping safe mode of course :thumbsup:) and reply again.

edit: after a second read it looks like another purpose of safe mode is to cut off connection to the internet. im assuming this is to cut the legs out from under the malware so to speak. instead of safe mode, ill disconnect my internet. hopefully that will do the trick haha.

Edited by scotty12, 10 January 2007 - 02:58 PM.


#6 scotty12

scotty12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 10 January 2007 - 03:18 PM

done hopefully

rapport log
SmitFraudFix v2.132

Scan done at 13:08:05.51, Wed 01/10/2007
Run from C:\Documents and Settings\scott\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 1:15:38 PM, on 1/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Steam\Steam.exe
C:\Documents and Settings\scott\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)


hows it lookin?

#7 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:12:40 AM

Posted 11 January 2007 - 01:38 AM

The log looks good :thumbsup:

Lets just make sure nothing else is hiding in that computer of yours...

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Post back with that F-Secure log and a fresh Hijackthis log and tell me how things are running :flowers:

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#8 scotty12

scotty12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 11 January 2007 - 04:28 PM

i ran that scan and it detected and (hopefully) disinfected 16 files. unfortunately, i think due to the malware on my computer, a lot of the time running processes will stop responding when i try to do something with them. the scanner stopped responding when i clicked on "save report", or something of the like. i am fairly certain the files were still disinfected, but i have no report to show you.

what do you suggest i do?

#9 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:12:40 AM

Posted 12 January 2007 - 10:15 AM

Hey again,

No problem. :flowers:

Lets try this one :thumbsup:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post back with the Kaspersky log and a fresh HijackThis log.

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#10 scotty12

scotty12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 12 January 2007 - 03:01 PM

um... wow... good luck :thumbsup:

Friday, January 12, 2007 12:59:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/01/2007
Kaspersky Anti-Virus database records: 258042
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 29770
Number of viruses found 18
Number of infected objects 59 / 0
Number of suspicious objects 0
Duration of the scan process 00:31:43

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\WDOKBYE.0LL Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C1ER4Z0J\xdmwgq[1].txt Infected: Trojan-PSW.Win32.Sinowal.bv skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MD4Z6ZM7\IF2[1].0XE Infected: Trojan-Downloader.Win32.Murlo.ey skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MD4Z6ZM7\IF2[2].0XE Infected: Trojan-Downloader.Win32.Murlo.ey skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MD4Z6ZM7\IF2[3].0XE Infected: Trojan-Downloader.Win32.Murlo.ey skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MD4Z6ZM7\SECURE32[1].0TM Infected: Trojan.Win32.Harnig.k skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MD4Z6ZM7\SECURE32[2].0TM Infected: Trojan.Win32.Harnig.k skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\cert8.db Object is locked skipped
C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\history.dat Object is locked skipped
C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\key3.db Object is locked skipped
C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\parent.lock Object is locked skipped
C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\search.sqlite Object is locked skipped
C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\scott\Application Data\Prevx\proc.cat Object is locked skipped
C:\Documents and Settings\scott\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\scott\Desktop\hijackthis\backups\backup-20070110-131055-303.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\Documents and Settings\scott\Desktop\hijackthis\backups\BACKUP-20070110-131055-876.0LL Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\Documents and Settings\scott\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\scott\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\scott\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\scott\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Messenger\scottywc@hotmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Messenger\scottywc@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Messenger\scottywc@hotmail.com\SharingMetadata\Working\database_9678_AA09_78A9_E867\dfsr.db Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Messenger\scottywc@hotmail.com\SharingMetadata\Working\database_9678_AA09_78A9_E867\fsr.log Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Messenger\scottywc@hotmail.com\SharingMetadata\Working\database_9678_AA09_78A9_E867\fsrtmp.log Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Messenger\scottywc@hotmail.com\SharingMetadata\Working\database_9678_AA09_78A9_E867\tmp.edb Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Windows Live Contacts\scottywc@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Microsoft\Windows Live Contacts\scottywc@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev4jjlsm.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\scott\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Temp\~DF9C8.tmp Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Temp\~DF9EF.tmp Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Temp\~DFE571.tmp Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Temp\~DFE99B.tmp Object is locked skipped
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\scott\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\scott\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\Prevx1\lclbrk.cache Object is locked skipped
C:\Program Files\Prevx1\log\px-log.txt Object is locked skipped
C:\Program Files\Prevx1\paws.cache Object is locked skipped
C:\Program Files\Prevx1\prevx.cache Object is locked skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP80\A0009657.exe/data0014 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP80\A0009657.exe/data0015 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP80\A0009657.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP93\A0013930.exe Infected: Trojan-Downloader.Win32.Murlo.ey skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0014908.exe Infected: Trojan-Downloader.Win32.Murlo.ey skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0014948.exe Infected: Trojan-Downloader.Win32.Murlo.ey skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0015965.exe Infected: not-virus:Hoax.Win32.Renos.gc skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0015966.dll Infected: Trojan-PSW.Win32.Sinowal.bh skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0015968.exe Infected: Trojan-Downloader.Win32.Small.dgk skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0016963.exe Infected: Trojan-Clicker.Win32.Costrat.ae skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0016965.exe Infected: Trojan.Win32.Zapchast.cp skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0016966.dll Infected: Trojan-PSW.Win32.Sinowal.bh skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0016968.exe Infected: not-virus:Hoax.Win32.Renos.gc skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0016969.exe Infected: Trojan.Win32.Zapchast.cp skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0016970.exe Infected: Trojan.Win32.Zapchast.cp skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0016971.exe Infected: Trojan-Downloader.Win32.Small.dgk skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017001.exe Infected: Trojan-Downloader.Win32.Small.bpz skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017959.exe Infected: Trojan-Proxy.Win32.Wopla.ac skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017967.exe Infected: Trojan-Downloader.Win32.Murlo.ey skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017968.exe Infected: Trojan-Clicker.Win32.Costrat.ae skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017970.exe Infected: Trojan.Win32.Zapchast.cp skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017971.exe Infected: not-virus:Hoax.Win32.Renos.gc skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017972.exe Infected: Trojan.Win32.Zapchast.cp skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017973.exe Infected: Trojan-Downloader.Win32.Small.dgk skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP94\A0017974.exe Infected: Trojan-Downloader.Win32.Small.bpz skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP95\A0017977.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP95\A0017978.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP96\A0018216.exe/data0015 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP96\A0018216.exe/data0016 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP96\A0018216.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP96\A0018219.exe Infected: Trojan-Downloader.Win32.Murlo.ey skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP96\A0022322.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP96\A0022323.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP97\A0022390.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP97\A0022462.exe Infected: not-virus:Hoax.Win32.Renos.gc skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP97\A0022463.exe Infected: Trojan.Win32.Zapchast.cp skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP97\A0022464.exe Infected: Trojan-Downloader.Win32.Small.dgk skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP98\A0022566.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP98\A0022567.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP98\A0022568.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP99\A0023326.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{7307C476-C5C7-4BBA-9885-EF6726E77F21}\RP99\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\I.0 Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\IMTQODK.0LL Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\32ef1f.$$$ Infected: Trojan-PSW.Win32.Sinowal.bv skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

that didnt turn out very well in the post, so i am having a friend upload that report. he said it should be at the link:
http://upload.thinktyler.com/uploads/586336150.html

im not sure at what time today he is going to upload it, but give that a try.

Edited by scotty12, 12 January 2007 - 03:50 PM.


#11 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:12:40 AM

Posted 12 January 2007 - 10:06 PM

Ok, I will post back later this weekend. I am busy this weekend, so do not think I deserted you, I am just busy :flowers:

Don't forget to check this thread in a day or two :thumbsup:

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#12 scotty12

scotty12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 14 January 2007 - 04:57 PM

not to worry. my computer isnt going anywhere :thumbsup:

#13 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:12:40 AM

Posted 15 January 2007 - 11:35 AM

Sorry for the delay.

A few things to delete here...

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MD4Z6ZM7

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Documents and Settings\LocalService\Local Settings\Application Data\WDOKBYE.0LL
C:\WINDOWS\system32\IMTQODK.0LL
C:\WINDOWS\Temp\32ef1f.$$$
C:\WINDOWS\system32\I.0
C:\WINDOWS\system32\i


After that, Reboot.

Tell me how things are running and post a fresh HijackThis log :thumbsup:

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#14 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:12:40 AM

Posted 31 January 2007 - 12:58 AM

As this issue appears resolved this topic is now closed.
If you would like this topic reopened, PM a staff member with the link to the topic.
This applies to the topic starter only, everyone else start a new topic.

Glad we could help :thumbsup:

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#15 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:12:40 AM

Posted 06 March 2007 - 08:09 PM

scotty12, please post a fresh HijackThis log. :thumbsup:

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users