Jump to content
Sign in to follow this  
Nightbabe

HELP!

Recommended Posts

HELP!!

I have a trojan in my back end!!!!

 

But seriously. I have something that is lagging my PC, popping up spam windows in Mozilla. (Adtrgt.com is one of them)

I have had to spybot and AVG the hell outta my PC and it still isn't helping. There is something else that they aren't picking up.

I know i know Format.. But i have around 20gig of photos of my kids ( i know alot, but there is movies too) So backing up is a bitch.

My HDd is partitioned and all the things i CAN"T lose, photos, doc, and of course WoW is on the 2nd partition.

The OS is on the 1st.

What can i do?!?!?!?!

 

Just got spammed with : http: //85.12.43.70/do t.gif/?ver=112&cmp=pro filing4&uid=377238F2C40511DDABCE168489CFFFFF&gui"]http://85.12.43.70/dot.gif/?ver=112&cm...9CFFFFF&gui[/url]

d=C0810411FE464AE79746D84CF97B3B03&affid=168489&rid=zdez&m=ki5s&revid=9773&lid=

www.google.com.au%2Fsearch%3Fclient=firefox-a%26rls=org.mozilla%3Aen-US%3Aofficial%26channel=s%26hl=en%26q=

lfg+comics%26meta=%26btnG=Google+Search&uqs=24&s=0&c1=24&c2=0&uid_track=2f18eb08-a015-4b4f-8fd7-b685b49545c8&br=firefox

Edited by Nightbabe

Share this post


Link to post
Share on other sites

Format your Windows partition and reinstall windows. WoW doesnt need reinstalling and can be copied from partition to partition with no negative effects. Your movies and pictures should be safe from any sort of virus they generally attack executables. As for anything else installed on your Windows partition, your going to have to reinstall them as well.

Share this post


Link to post
Share on other sites

You can also try Adaware and you could also run then cut and paste the results from Hijack This, so we can take a look and advise of any suspect processes.

 

On a side note PLEASE BURN YOUR PHOTOS TO A DVD!!!!!!!! I have seen so many people lose years of their children's photos never to recover them again and it is very sad to say the least. Ask yourself if you had a fire and after your family is safe, the next thing you grab on the way out is photos as they cannot be replaced. DO NOT trust your HDD to keep your photos safe.

 

I also upload my photos to Picasa for safe keeping on top of burning two copy's to dvd as data.

Share this post


Link to post
Share on other sites

You can also try Adaware and you could also run then cut and paste the results from Hijack This, so we can take a look and advise of any suspect processes.

 

On a side note PLEASE BURN YOUR PHOTOS TO A DVD!!!!!!!! I have seen so many people lose years of their children's photos never to recover them again and it is very sad to say the least. Ask yourself if you had a fire and after your family is safe, the next thing you grab on the way out is photos as they cannot be replaced. DO NOT trust your HDD to keep your photos safe.

 

I also upload my photos to Picasa for safe keeping on top of burning two copy's to dvd as data.

I know :( I just have so many that that will require a lot of money.

Thank you for the links. there is the Hijack results.

I have prevously googled most of them. gotta love www.processlibrary.com

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:27:49 PM, on 12/10/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a2articles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: MultiRes

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Search - ?p=ZJfox000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172685525078

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O20 - AppInit_DLLs: dbixyi.dll hasgpq.dll yfxwtx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

 

--

End of file - 5916 bytes

Share this post


Link to post
Share on other sites

You'd need 5 DVDs to back up all your photos, probably cost $5 at most :( I'd seriously do that now before anything else...

Share this post


Link to post
Share on other sites

Well nothing looks out of place there. so try adaware and maybe an Online virus scan to double check. Also you could run checks with spybot/avg/adaware in safe mode to enable easier removal. Also as lew~ pointed out the cost of a few blank dvd's is cheap compared to losing all your photo's don't you think ? I get a 50 spindle of Verbatim dvd-r for about $22.00 from JB-HIFI

 

I mean priceless photos lost or a few dollars for some blank dvd's. I have never come across anyone who had to be convinced to protect their precious memories lol.

Share this post


Link to post
Share on other sites

There is absolutely no need to format, and no need to risk losing all your data.

 

First, get a decent AV scanner, such as Avira or Avast, both are free, and both have excellent detection rates, unlike AVG.

 

If Avira or Avast do not detect anything, there are more advanced steps that can be taken ascertain what the problem is.

Share this post


Link to post
Share on other sites

Yep, get rid of AVG and go with Avast as soon as you can, We have even taken Norton's off at work and loaded up Avast on the workstations. runs goos picks up pretty well all nasties and does not bog the systems down like Nortons does.

Share this post


Link to post
Share on other sites

Well nothing looks out of place there.

Not so, sir.

 

O20 - AppInit_DLLs: dbixyi.dll hasgpq.dll yfxwtx.dll

 

That's bad, and that's the problem.

 

I'd be willing to wager if you remove it with HiJackThis it'll just be back straight away if you scan.

 

Download Malware Bytes and Super Anti-Spyware, install and update them. Also download SmitFraudFix and Vundofix for good measure (we haven't got a name for this problem so I don't know if these will be helpful, but they can both remove things normal programs like Spybot, Ad-Aware, Super and Malware can't).

 

Boot into safe mode, no networking. Run SmitFraudFix and Vundofix first, then run full scans with Malware and Super.

 

I know there are people on these forums that think Spy-Bot and Ad-Aware are all you need, but those days are long gone.

 

When you're done, reboot and run Hijackthis and look for the O20 DLLs entry.

Share this post


Link to post
Share on other sites

Adawear did pick up 3 things, 2 were able to be removed. The 3rd is a deeper problem that is located in my Host files. When i try quarantine it Actually freezes Adaware and causes it to crash.

I don't need convincing really to back up my stuff.

I will get the other Programmes now. Thanks for all the quick replies!

Share this post


Link to post
Share on other sites

As a side note, also remember that while hard drives and other hardware can fail, CD-Rs and DVD-Rs have a finite lifespan - the cheaper ones (ritek and other nonamers) might only last a year or two before becoming unreadable while the more expensive ones (taiyo yuden) can last 5-7 years or more depending on storage conditions. This is because the data on such optical media is stored in organic dyes which break down over time.

Share this post


Link to post
Share on other sites

As a side note, also remember that while hard drives and other hardware can fail, CD-Rs and DVD-Rs have a finite lifespan - the cheaper ones (ritek and other nonamers) might only last a year or two before becoming unreadable while the more expensive ones (taiyo yuden) can last 5-7 years or more depending on storage conditions. This is because the data on such optical media is stored in organic dyes which break down over time.

So even Dvd/cd's aren't great to back up on??

Then what IS good? i am NOT going to print out 2,809 photos(5.40Gb) of just the kids. then the 1,6559(1.35Gb) other photos i have just to back them up

Share this post


Link to post
Share on other sites

Photo paper degrades over time anyway :-p

 

There is no perfect, cheap, backup solution. You just need to be aware of the limitations of each option.

 

Your best bet is to burn to decent quality DVD-Rs and re-burn them to fresh ones (or a more recent media type as appropriate) every few years.

Share this post


Link to post
Share on other sites

The important thing is to always know you've got at least two working copies at any one time, three for preference. Tape backup is technically the most reliable, especially when stored in a safety deposit box, but that's a bit pricey for the average consumer. This is obviously only for things you can't replace.

 

How'd the Vundo/Smitfraud/Super/Malware run go?

Share this post


Link to post
Share on other sites

Well nothing looks out of place there.

Not so, sir.

 

O20 - AppInit_DLLs: dbixyi.dll hasgpq.dll yfxwtx.dll

 

That's bad, and that's the problem.

 

 

Bugger silly old Dino missed that one :( yes it does indeed look bad, some of these things hide in the system restore files so you may have to remove your old restore points to kill it.

 

Edit: tantryl I gave super anti spyware and malwarebyte a run on my systems and they found nothing (I use spybot and avg). But then again I don't go clicking on every popup lol. So I will give them a try on the next infected machine I get my hands on, as I am always looking for new tools.

 

And your right adaware and spybot don't get everything, but they do get most things.

 

Also @ Nightbabe it's better to have backup's of your photos on dvd's then to have no backup at all and lose the lot if your HDD fails. Dvd's even quality ones are so cheap you can backup as often as you like.

Edited by bowiee

Share this post


Link to post
Share on other sites

The important thing is to always know you've got at least two working copies at any one time, three for preference. Tape backup is technically the most reliable, especially when stored in a safety deposit box, but that's a bit pricey for the average consumer. This is obviously only for things you can't replace.

 

How'd the Vundo/Smitfraud/Super/Malware run go?

At the end of all that..

Vundo found nothing, smitfraud didn't wanna work for me and Super and Malware found a few items..

Here is another Hijack report after the scans.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 04:56:02, on 12/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a2articles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {9E33F34A-7867-4D3E-A725-530DDECA1B09} - (no file)

O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

O2 - BHO: (no name) - {BF173012-4794-4860-847A-D7D16511C60E} - (no file)

O2 - BHO: (no name) - {D14662FC-03AC-44A2-BE62-1BBC7DA9C775} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: MultiRes

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Search - ?p=ZJfox000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172685525078

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O20 - AppInit_DLLs: dbixyi.dll hasgpq.dll yfxwtx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: hgGyxVME - hgGyxVME.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

 

--

End of file - 6745 bytes

Share this post


Link to post
Share on other sites

Well, this is still a problem:

 

O20 - AppInit_DLLs: dbixyi.dll hasgpq.dll yfxwtx.dll

 

And now you've got the added bonus of this:

 

O20 - Winlogon Notify: hgGyxVME - hgGyxVME.dll (file missing)

 

They both add up to a Vundo or smitfraud indicator (multiple random dll generations), but you say Vundofix didn't find anything? And smitfraud didn't work? That's a bit of a shit, must be an exciting new variant. Vundo and Smitfraud have been the toughest commonly found bastards to remove for the last couple of years at least. They can usually only be installed by someone clicking yes to a pop-up when they shouldn't, so bad Nightbabe! Or failing that, you should be telling someone else 'Bad someone else!'

 

Try Vundobegone. And make sure you've followed the smitfraud instructions here.

 

But both Vundofix and Malwarebytes should have been able to remove a Vundo variant. Which means it probably is an exciting new variant, and not particularly easy to remove.

 

Can you let us know the names of things that Malwarebytes and Super found and removed?

Edited by tantryl

Share this post


Link to post
Share on other sites

Well, this is still a problem:

 

O20 - AppInit_DLLs: dbixyi.dll hasgpq.dll yfxwtx.dll

 

And now you've got the added bonus of this:

 

O20 - Winlogon Notify: hgGyxVME - hgGyxVME.dll (file missing)

 

They both add up to a Vundo or smitfraud indicator (multiple random dll generations), but you say Vundofix didn't find anything? And smitfraud didn't work? That's a bit of a shit, must be an exciting new variant. Vundo and Smitfraud have been the toughest commonly found bastards to remove for the last couple of years at least. They can usually only be installed by someone clicking yes to a pop-up when they shouldn't, so bad Nightbabe! Or failing that, you should be telling someone else 'Bad someone else!'

 

Try Vundobegone. And make sure you've followed the smitfraud instructions here.

 

But both Vundofix and Malwarebytes should have been able to remove a Vundo variant. Which means it probably is an exciting new variant, and not particularly easy to remove.

 

Can you let us know the names of things that Malwarebytes and Super found and removed?

 

Ok i have print screened what is in quarantine. Don't think they are ledigable lol. But who knows you might be able to read em.

http://smg.photobucket.com/albums/v213/Nit...current=mal.jpg

http://smg.photobucket.com/albums/v213/Nit...rrent=Super.jpg

http://smg.photobucket.com/albums/v213/Nit...=Theproblem.jpg

Share this post


Link to post
Share on other sites

No, can't read those too well.

 

I can make out some Vundo stuff that Malwarebytes has removed, which leaves us with vundo being the likely culprit and as I mentioned probably in a brand new bad arse edition that's even harder to remove than it's damn dirty predecessors.

 

Try all three methods from here, but that's just the aforementioned Malwarebytes, Vundofix & Vundobegone. But follow the instructions carefully and you might get lucky... punk.

Share this post


Link to post
Share on other sites

Note please for Vundo and a few others you must be disconnected from the net before running the scan.

Recently had to deal with a Virtumonde infection and the following worked.

Make sure you have the latest 1.6 Spybot S&D and manually update it. I would also disable Spybots teatimer I find it annoying.

Turn off system restore on all drives.

Disconnect the PC from the net (pull the network/usb cable or disable the wireless card).

 

Reboot the PC in to safe mode (F8 on boot) and manually delete all the temp shit from

C:\Documents and Settings\login name\Local Settings\Temporary Internet Files

C:\Documents and Settings\login name\Local Settings\Temp

C:\WINDOWS\Temp

Do this for all users. Also delete any suspicious crap from C:\WINDOWS\Downloaded Program Files and any other temp folders on the system (search for temp* should find them

Or give CCleaner portable a try.

http://www.ccleaner.com/download/builds/downloading-portable

 

Next run Spybot and get it to remove all the crap it finds. Spybot may ask to do a re-scan on reboot. If it asks to do this select yes.

Once the Spybot scans are finished (including the reboot scan), reboot in to safe mode again and give f-vmonde, VirtumundoBegone, Vundofix & Vundobegone a run. Do each one spearately of course, not simultaneously.

Reboot again in to normal mode once all have finished and see if the PC is ok (connect to the net).

If so turn on system restore again and run Spybot's immunisation feature to immunise IE and Firefox.

Share this post


Link to post
Share on other sites

Note please for Vundo and a few others you must be disconnected from the net before running the scan.

Recently had to deal with a Virtumonde infection and the following worked.

Make sure you have the latest 1.6 Spybot S&D and manually update it. I would also disable Spybots teatimer I find it annoying.

Turn off system restore on all drives.

Disconnect the PC from the net (pull the network/usb cable or disable the wireless card).

 

Reboot the PC in to safe mode (F8 on boot) and manually delete all the temp shit from

C:\Documents and Settings\login name\Local Settings\Temporary Internet Files

C:\Documents and Settings\login name\Local Settings\Temp

C:\WINDOWS\Temp

Do this for all users. Also delete any suspicious crap from C:\WINDOWS\Downloaded Program Files and any other temp folders on the system (search for temp* should find them

Or give CCleaner portable a try.

http://www.ccleaner.com/download/builds/downloading-portable

 

Next run Spybot and get it to remove all the crap it finds. Spybot may ask to do a re-scan on reboot. If it asks to do this select yes.

Once the Spybot scans are finished (including the reboot scan), reboot in to safe mode again and give f-vmonde, VirtumundoBegone, Vundofix & Vundobegone a run. Do each one spearately of course, not simultaneously.

Reboot again in to normal mode once all have finished and see if the PC is ok (connect to the net).

If so turn on system restore again and run Spybot's immunisation feature to immunise IE and Firefox.

Ok so i did both of what you guys said.

I *think* it is better.

no more 020 dll. No more pop up windows, and my Pc is running as per speed it is ment to.

Thank you so much guys.

Going to Hardly Normal today to get some DvD to back up my photos.

I ran Malwear again and it found 2 infected.. so i am guessing if i keep running it of a night time i will eventually get em all.

Share this post


Link to post
Share on other sites

What were the two infested you found after the O20 removals? If they're just cookies or the like it's not an issue.

Share this post


Link to post
Share on other sites

What were the two infested you found after the O20 removals? If they're just cookies or the like it's not an issue.

I'll get back to you on that one..

I am pretty sure it was just adwear.

I am having another problem though..

 

I went and brought some Memorex Printable DVD+R dvd's.. And now it is telling me that Windows has encounted an error while trying to copy this file.

It is not just that one.. but all of the files i have tried to place on the blank DvD.

Share this post


Link to post
Share on other sites

What were the two infested you found after the O20 removals? If they're just cookies or the like it's not an issue.

I'll get back to you on that one..

I am pretty sure it was just adwear.

I am having another problem though..

 

I went and brought some Memorex Printable DVD+R dvd's.. And now it is telling me that Windows has encounted an error while trying to copy this file.

It is not just that one.. but all of the files i have tried to place on the blank DvD.

 

Memorex are not very good quality Verbatim would have been a better choice. Anyway what program are you using to burn these files.

Share this post


Link to post
Share on other sites

tantryl I got smitfraudfix to work. Here is what it showed me.. What does it mean ?? lol

 

SmitFraudFix v2.387

 

Scan done at 17:33:19.04, Wed 12/17/2008

Run from C:\Documents and Settings\nicky\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\nicky\Desktop\VundoFix.exe

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

hosts file corrupted !

 

127.0.0.1 www.legal-at-spybot.info

127.0.0.1 legal-at-spybot.info

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\nicky

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\nicky\LOCALS~1\Temp

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\nicky\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\nicky\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch

!!!Attention, following keys are not inevitably infected!!!

 

o4Patch

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, following keys are not inevitably infected!!!

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

!!!Attention, following keys are not inevitably infected!!!

 

Agent.OMZ.Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

!!!Attention, following keys are not inevitably infected!!!

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

!!!Attention, following keys are not inevitably infected!!!

 

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» RK

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C) - Packet Scheduler Miniport

DNS Server Search Order: 192.168.0.1

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D06B30A-C64F-460D-AE29-18BE2FAE42DC}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D06B30A-C64F-460D-AE29-18BE2FAE42DC}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{9D06B30A-C64F-460D-AE29-18BE2FAE42DC}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{9D06B30A-C64F-460D-AE29-18BE2FAE42DC}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×