Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please Help me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby amateur » December 1st, 2005, 11:27 pm

Thank you for the logs, Bober. :) I'll get back to you tomorrow.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA
Advertisement
Register to Remove

Unread postby amateur » December 3rd, 2005, 9:06 pm

Hi Bober, :)

I need you to do the following:

Download hoster from this link.
  • Unzip Hoster.zip
  • Open Hoster.exe
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
Download DLLCompare.
  • Double-click on DllCompare.exe to run the program.
  • Click "Run Locate.com" and it will scan your system for files.
  • Once the scan has finished click "Compare" to compare your files to valid Windows files.
  • Once it has finished comparing click "Make a Log of what was found".
  • Click "Yes" at the View Log file? prompt to view the log.
  • Copy and paste the entire log into this topic.
  • If you accidentally close out of the log it is also saved as log.txt to where you saved DllCompare.exe.
  • Click "Exit" to exit DLLCompare.

Download RootkitRevealer 1.56 .
  • Click on RootkitRevealer 1.56 under October 26. The (free) tool download is at the end of the page that opens.
  • Once the RootkitRevealer is done, click file > save, and save the report


Reboot and and post a new HijackThis log into this thread along with the DLL compare log.txt and the RootkitRevealer report.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby bober » December 3rd, 2005, 10:28 pm

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,133 items found: 1,133 files, 0 directories.
Total of file sizes: 203,815,519 bytes 194.37 M

Administrator Account = True

--------------------End log---------------------

Here's Rootkit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 12/3/2005 9:26 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 12/3/2005 9:26 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License* 8/29/2005 4:44 PM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Ryan Andrew Chang\ntuser.dat.LOG:KAVICHS 12/3/2005 9:31 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP358\A0141231.exe:KAVICHS 10/1/2005 6:05 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP358\A0141261.exe:KAVICHS 10/1/2005 6:05 PM 68 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP367\A0144229.dll:KAVICHS 10/8/2005 7:26 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP367\A0144236.exe:KAVICHS 10/8/2005 7:33 PM 68 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144239.exe:KAVICHS 10/8/2005 7:37 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144378.exe:KAVICHS 10/10/2005 1:40 PM 68 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144391.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144397.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144398.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144428.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144437.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144442.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP370\A0144490.dll:KAVICHS 10/16/2005 3:43 PM 36 bytes Hidden from Windows API.

And now here's hijack

Logfile of HijackThis v1.99.1
Scan saved at 11:56:01 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack THis newest\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
bober
Active Member
 
Posts: 10
Joined: November 7th, 2005, 8:04 pm

Unread postby amateur » December 4th, 2005, 11:41 am

Hi Bober, :)

Thank you for the logs. :thumbright: Let's continue. Please click on Windows key and "E" at the same time to bring up Windows Explorer and navigate to C>Windows>Prefetch folder. Click on Edit>select all and delete the entrie content of the folder (Not the folder itself).
==================
Download BlackLight Beta and run it.
Leave [X]scan through windows explorer checked,
Click >> scan >> next.
If any items are detected have blacklite rename them except for "wbemtest.exe".
Do not rename "wbemtest.exe" its a windows file.
The tool will ask if you want to reboot (restart) choose yes.
Then save the log from it.
==================
Run Ccleaner following my earlier instructions.
==================
Now download Killbox (by Option^Explicit) from here to your Desktop.
==================
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for further information.
==================
Once in Safe Mode, please run Killbox.

Click on "Delete on Reboot".
copy the file names and paths below in BOLD to the clipboard by highlighting them then pressing the Ctrl and C keys together at the same time

C:\WINDOWS\system32\secure33.txt
C:\WINDOWS\SYSTEM32\sdkaa32.exe
C:\Documents and Settings\Ryan Andrew Chang\Favorites\SITES ABOUT\Ab scissor.url
C:\Documents and Settings\Ryan Andrew Chang\Favorites\Only sex website.url
C:\Documents and Settings\Ryan Andrew Chang\Local Settings\Temp\27.tmp
C:\Documents and Settings\Ryan Andrew Chang\Local Settings\Temp\2A.tmp

- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the "red-and-white" Delete File button
- Click Yes at the Delete on Reboot prompt
- Click Yes at the Reboot Now prompt.
==================
Run Ccleaner again.
==================
Please run RootkitRevealer one more time and save the report.
==================
Now run Panda again.
==================
Reboot. Run HijackThis. Post the new log from HijackThis, Blacklight report, Rootkit Revealer report and the Panda online scan result.
I think I asked this question before but didn't get an answer. Are you still getting Hijacked? If so, what's the page you are getting hijackted to?
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby bober » December 4th, 2005, 2:06 pm

Oh yes sorry. At that time when the question was asked i was getting hijacked. It was to something like Quick Web Search or something like that... It had all thise links at the bottom of it... But now after running the first step that you told me i'm not getting hijacked anymore. But my computer is still a little slower (that could be because it's like 7 years old...) Also the welcome screen is black instead of blue still.
bober
Active Member
 
Posts: 10
Joined: November 7th, 2005, 8:04 pm

Unread postby amateur » December 5th, 2005, 10:41 am

Thanks for the information. :) Please continue with the instructions. We'll get to the screen color later. I am still waiting for the new log from HijackThis, Blacklight report, Rootkit Revealer report and the Panda online scan result.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby NonSuch » December 15th, 2005, 1:43 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 125 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware