Jump to content

Very Bad Infection


Recommended Posts

Im helping a friend this is there hijacklog

im all they got to help for now

until they can get IE7 going

 

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:47:42, on 12/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal 11:42 PM

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knet.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll 11:45 PM

O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

O24 - Desktop Component 0: (no name) - http://s.bebo.com/js/mootools-12-core-and-...3d94a3f403d92f4 -- End of file - 3148 bytes

Link to post
Share on other sites

Hi there,

 

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

 

Also remove the checkmark from the the Lock Desktop Items box if it is checked.

Apply.

Apply and Exit Display properties.

 

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

O24 - Desktop Component 0: (no name) - http://s.bebo.com/js/mootools-12-core-and-...3d94a3f403d92f4 -- End of file - 3148 bytes

 

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

 

Navigate to and delete the following file(s):

 

C:\WINDOWS\system32\tyshb36rfjdf.dll

 

Reboot your computer.

 

I'm not expecting that the file will be gone, but the other things should be fixed and easier to deal with. :)

 

Please download Malwarebytes' Anti-Malware from one of these places:

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

http://www.besttechie.net/mbam/mbam-setup.exe

 

Double Click mbam-setup.exe to install the application.

 

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

 

Thanks,

tea

Link to post
Share on other sites

heres new hijack log

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:44:13, on 12/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

 

C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knet.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

 

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217792199031 12:46 AM

 

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218691373609

O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

 

--

End of file - 3003 bytes

 

they said this one wont delete............

 

C:\WINDOWS\system32\tyshb36rfjdf.dll

Edited by mme
Link to post
Share on other sites

Something new showing up now. :blink:

 

See if you can get ComboFix to run :

 

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

 

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall.

 

tea

Link to post
Share on other sites

they cant do this

cannot diplay page is all they get

virus wont let anything happen

stay tuned.............

Link to post
Share on other sites

i got them to go to safemode with networking and downloaded unlocker

they deleted this,,,,,,,,,,,,C:\WINDOWS\system32\tyshb36rfjdf.dll[b/]

and all of these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knet.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

 

guess ill wait till tomorrow see ho they do

Link to post
Share on other sites

:surrender::surrender: Why did you tell them to change those?? They're supposed to be there and are legit! Just the file should be deleted of those you listed.

 

Now I know you're a fellow Pitster, but if you're asking for my help, then please stick to it. If you don't want to do this then I won't be held responsible for these things you're doing and will stop trying to help you now.

 

Your call.

 

tea

Link to post
Share on other sites

Hi they delete those on there own

they still need help

but after those were remove they were able to download combofix and malwarebytes

but those programs wont run

they still cant get to the pit

they are downloading antivirus .........Avast

they said they wont remove anything else from hijack

Link to post
Share on other sites

i did just trying to get them to the pit

dr web wont run

cleanup wont run

housecall

kaspersky

combofix

turned off system restore

they tried it and it did nothing

 

there logfile

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:00:57, on 12/31/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator.KEEWAY-6AC51080\My Documents\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Documents and Settings\Administrator.KEEWAY-6AC51080\My Documents\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217792199031

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218691373609

O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - (no file)

Link to post
Share on other sites

there are serious issues here

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:05:52, on 1/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator.KEEWAY-6AC51080\My Documents\Unlocker\UnlockerAssistant.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Documents and Settings\Administrator.KEEWAY-6AC51080\My Documents\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217792199031

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218691373609

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

 

--

End of file - 3138 bytes

 

 

Ad-Aware

AVG Free 8.0

CCleaner (remove only)

Components Setup

HijackThis 2.0.2

Hotfix for Windows XP (KB952287)

Intel® 537EP V9x DF PCI Modem

Intel® Extreme Graphics 2 Driver

Intel® PRO Network Adapters and Drivers

Jasc Paint Shop Pro 9

Java 6 Update 2

Loader

Malwarebytes' Anti-Malware

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Visual C++ 2005 Redistributable

 

MobileMe Control Panel

Mozilla Firefox (3.0.5)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

QuickTime

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB923789)

 

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

 

 

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB960714)

Sony Picture Utility

SoundMAX

Unlocker 1.8.7

 

Update for Windows XP (KB942763)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Windows Media Format Runtime

Windows Media Player 10

Windows XP Service Pack 3

Yahoo! Browser Services

Yahoo! Install Manager

Yahoo! Internet Mail

Yahoo! Messenger

 

 

Infections: 38

1: "Trojan" "hidden autorun" "Trojan.Poison.J" "Trojan.Poison.J is a key-logging Trojan for the Windows platform."

2: "Trojan" "autorun" "Infostealer.Banker.E" "Steals sensitive information from the infected computer (e.g. logins and passwords from online banking sessions)."

3: "Adware" "Registry" "Adware.eXact.BargainBuddy" "A browser helper object that monitors internet browsing sessions in an attempt to redirect search queries and distribute unsolicited advertisements."

4: "Backdoor" "C:/windows/system32/svchost.exe" "Win32.Rbot.fm" "An IRC controlled backdoor that can be used to gain unauthorized access to a victim's machine."

5: "Trojan" "autorun" "Trojan.Tooso" "Trojan.Tooso is a trojan which attempts to terminate and delete security related applications."

6: "Worm" "C:/windows/" "Win32.BlackMail.xx" ""This dangerous worm will destroy certain data files on an infected user's machine on February 3, 2008."

7: "Rogue" "C:/Program Files/TrustedAntivirus" "TrustedAntivirus" "A corrupt and misleading anti-virus program that may be usually installed with the help of malcous Trojans and other malware"

8: "Spyware" "C:/windows/system32/" "Spyware.007SpySoftware" "Program designed to monitor user activity. May be used with or without consent."

9: "Trojan" "C:/windows/" "Trojan-Downloader.VBS.Small.dc" "This Trojan downloads other files via the FTP protocol and launches them for execution on the victim machine without the user’s knowledge."

10: "Rogue" "C:/Program Files/SecurePCCleaner" "SecurePCCleaner" "Rogue Security Software: fake Security software that uses deceptive means for installation and purpose."

11: "Worm" "autorun" "Win32.Peacomm.dam" "A Trojan Downloader that is spread as an attachment to emails with news headlines as the subject lines which downloads additional security threats."

12: "Trojan" "C:/windows/" "Trojan-Dropper.Win32.Agent.bot" "This Trojan is designed to install and launch other malicious programs on the victim machine without the knowledge or consent of the user."

13: "Dialer" "C:/windows/system32/cmdial32.dll" "Dialer.Xpehbam.biz_dialer" "A Dialer that loads pornographic material. The url information shows Hardcore Pornographic pages."

14: "Worm" "C:/windows/system32/" "Win32.Delbot.AI" "Win32.Delbot.AI is a worm and IRC backdoor that exploits system and software vulnerabilities in order to provide remote access to the host PC."

15: "Dialer" "C:/windows/hidden/" "Dialer.Trafficjam.a" "Dialer.Trafficjam.a is a premium-rate phone dialer that automatically invokes paid access to various porn-related Web sites."

16: "Trojan" "autorun" "Win32.Outsbot.u" "A backdoor Trojan that is remotely controlled via Internet Relay Chat (IRC). It exploits Sony Digital Rights Management (DRM) software to hide its presence."

17: "Trojan" "hidden autorun" "Trojan.Win32.Agent.ado" "Trojan downloader that is spread as an attachment to a spam email and tries to download a password stealer."

18: "Spyware" "autorun" "Win32.PerFiler" "Win32.PerFiler is designed to retrieve and install files when executed. Win32.PerFiler is configured to download from either a designated web or FTP site."

19: "Spyware" "autorun" "Spyware.KnownBadSites" "Uses the Windows hosts file to redirect your browser to a malicious site when you try to access a valid site."

20: "Trojan" "C:/windows/" "Trojan-Downloader.VBS.Small.dc" "This Trojan downloads other files via the FTP protocol and launches them for execution on the victim machine without the user’s knowledge."

21: "Trojan" "C:/windows/system32/explorer.exe" "Trojan.MailGrabber.s" "Trojan horse that gets access to e-mail accounts on the infected computer."

22: "Trojan" "C:/windows/system32/" "Trojan.BAT.Adduser.t" "This Trojan has a malicious payload. It is a BAT file. It is 1129 bytes in size."

23: "Worm" "C:/windows/system/" "Worm.Bagle.CP" "This is a ""Bagle"" mass-mailer which demonstrates typical ""Bagle"" behavior."

24: "Spyware" "C:/windows/system32/iesetup.dll" "Spyware.IEMonster.d" ""Steals passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs."

25: "Worm" "hidden autorun" "Win32.Miewer.a" "A Trojan Downloader that masquerades as a legitimate system file. Associated processes connect to the Internet to download additional malicious files"

26: "Trojan" "C:/windows/system/drivers/etc/" "Trojan.IRCBot.d" "a worm that opens an IRC back door on the infected host. It spreads by exploiting the Windows Remote Buffer Overflow Vulnerability."

27: "Worm" "hidden autorun" "Win32.Miewer.a" "A Trojan Downloader that masquerades as a legitimate system file."

28: "Worm" "C:/windows/temp/" "Win32.Rbot.CBX" "A worm and IRC backdoor that exploits system and software vulnerabilities in ord

29: "Trojan" "C:/windows/hidden/" "Trojan.Clicker.EC" "Trojan.Clicker.EC is an information stealing Trojan that masquerades as a legitimate system file so as to avoid detection and subsequent removal."

30: "Adware" "autorun" "Zlob.PornAdvertiser.ba" "Adware that displays pop-up/pop-under advertisements of pornographic or online gambling Web sites."

31: "Worm" "autorun" "Win32.Peacomm.dam" "A Trojan Downloader that is spread as an attachment to emails with news headlines as the subject lines which downloads additional security threats."

32: "Trojan" "C:/windows/system/mui/" "Trojan.Dropper.MSWord.j" "A Microsoft Word macro virus that drops a trojan onto the infected host."

33: "Spyware" "autorun" "Win32.PerFiler" "Win32.PerFiler is designed to retrieve and install files when executed. W

designed to retrieve and install files when executed. Win32.PerFiler is configured to download from either a designated web or FTP site."

34: "Trojan" "C:/windows/system/drivers/" "Win32.Spamta.KG.worm" "A multi-component mass-mailing worm that downloads and executes files from the Internet."

35: "Spyware" "autorun" "Spyware.IMMonitor" "program that can be used to monitor and record conversations in popular instant messaging applications."

36: "Trojan" "C:/windows/system/mui/" "Win32.Clagger.C" "This is small Trojan downloader that downloads files and lowers security settings. It is spreading as an email attachment."

37: "Trojan" "C:/windows/system32/alg.exe" "Trojan.Alg.t" "Trojan program that can compromise your private information stored on the hard drive."

38: "Worm" "C:/windows/temp/" "Win32.Sdbot.ADN" "A worm and IRC backdoor that exploits system and software vulnerabilities in order to provide unmitigated remote access to the host machine."

 

All of this belongs to brokewindow

they are a pitster

still cant run programs or get to the pit

been trying all day

service pack 3 installed oddly enough

hostexpert was able to run and detect trojans

Edited by mme
Link to post
Share on other sites

Im sorry i was not to clear

i did get the PM

I know the tool is there

but i can run it

the computers not near me

ive been relayin messages back in forth from hijack log to what you sent me

believe me we tried everything to get programs to run

tried Fsecure Blacklight

Silent Runners

But all these programs get either downloaded

or the website shuts down immediately

we even compared malwarebytes in registry

mines runs no problem but it has 18 sub keys/entries in the malwarebytes folder

they only have 6

so it seems the TrustedAntivirus and SecurePCCleaner

has disabled quite a bit

folder options is no in control panel

so we use run to get to folder options

Start>>run>>control folders press ok

that brings up folder options

but it has restrictions

so we cant view hidden folders

its well hidden in the registry

its not in the software on the registry tree console

once they can get to the pit

im sure you can clean them up

but this thing is all over the place

we got the cd to work

half hour later it got disabled

it shutdown windows player media 10

the one thats infected with is brokenwindow

 

http://forums.pcpitstop.com/index.php?showuser=56842

 

very hard and tedious task

but they said as soon they can they will be here in the pit

Edited by mme
Link to post
Share on other sites

New computer

thats cool

Congradulations

stay clear of unwanted stuff

and leave limewire alone

stay away from google search and toolbar

Edited by mme
Link to post
Share on other sites
×
×
  • Create New...