also having problems with virus/malware/spywares

  • Thread starter sean_in_cali@yahoo.com
  • Start date
S

sean_in_cali@yahoo.com

Guest
Hello everyone.

I had the same problem as in other virus/adware/spyware except i know

where i got it--while I was browsing a friend's myspace pictures.

First the IE7 crashed and then acrobat reader open with a blank file

called index. And then the desktop flashed and turned into red

background with a message in the middle saying I have been infected

with a spyware.

And the link the the middle of the desktop(yes the desktop turned red

and had a hyper link in the middle) took me to antispyspider.us/69

website which appears to be antispyware program page.

Of course I didn't enter any information on it because it's probably a

phishing website.

I managed to remove webhancer and 15 other trojans that infected my

computer using SDFix upon booting into safemode. That seems to have

gotten rid of most of the problem, all except one.

When I run hijackthis it brings back this entry which cannot be

deleted.

O4 - HKLM\..\Run: [bM271f59cb] Rundll32.exe "C:\WINDOWS

\system32\qwfkxbss.dll",s Unknown application.

I can't delete this process using hijack this and when I'm using IE7 i

get unwated popups about malwares and spywares now.

When i did the SDFix it saved a log of deleted trojans.

C:\WINDOWS\system32\000060.exe - Deleted

C:\WINDOWS\system32\000080.exe - Deleted

C:\WINDOWS\system32\000090.exe - Deleted

C:\WINDOWS\system32\TFTP1996 - Deleted

C:\WINDOWS\system32\adult.txt - Deleted

C:\WINDOWS\system32\cmd.com - Deleted

C:\WINDOWS\system32\finance.txt - Deleted

C:\WINDOWS\system32\lt.res - Deleted

C:\WINDOWS\system32\other.txt - Deleted

C:\WINDOWS\system32\pharma.txt - Deleted

C:\WINDOWS\system32\ping.com - Deleted

C:\WINDOWS\system32\sft.res - Deleted

C:\WINDOWS\system32\sockins32.dll - Deleted

C:\WINDOWS\system32\tasklist.com - Deleted

C:\WINDOWS\system32\tracert.com - Deleted

Is there any that still might be around and causing this problem?

also my computer is losing focus when i'm typing on website forums.

I'll type but some reason the letter do not get typed. itlmost as if

the focus of the application is shifting invisibly back and forth.

very odd...,

Below is the complete SDFix log file.

SDFix: Version 1.181

Run by xxxxx on Sat 05/10/2008 at 11:23 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Checking Services :

Name :

MsSecurity1.209.4

Path :

C:\WINDOWS\b2new.exe service

MsSecurity1.209.4 - Deleted

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\000060.exe - Deleted

C:\WINDOWS\system32\000080.exe - Deleted

C:\WINDOWS\system32\000090.exe - Deleted

C:\WINDOWS\system32\TFTP1996 - Deleted

C:\WINDOWS\system32\adult.txt - Deleted

C:\WINDOWS\system32\cmd.com - Deleted

C:\WINDOWS\system32\finance.txt - Deleted

C:\WINDOWS\system32\lt.res - Deleted

C:\WINDOWS\system32\other.txt - Deleted

C:\WINDOWS\system32\pharma.txt - Deleted

C:\WINDOWS\system32\ping.com - Deleted

C:\WINDOWS\system32\sft.res - Deleted

C:\WINDOWS\system32\sockins32.dll - Deleted

C:\WINDOWS\system32\tasklist.com - Deleted

C:\WINDOWS\system32\tracert.com - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by

Gmer, http://www.gmer.net

Rootkit scan 2008-05-10 23:43:44

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg

\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:43,ae,5c,4b,a2,11,7a,79,64,44,6d,0a,b4,ab,ad,9c,cd,

49,96,9d,c9,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg

\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:43,ae,5c,4b,a2,11,7a,79,64,44,6d,0a,b4,ab,ad,9c,cd,

49,96,9d,c9,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess

\parameters\firewallpolicy\standardprofile\authorizedapplications

\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\

\sessmgr.exe: :enabled:mad:xpsp2res.dll,-22019"

"C:\\Program Files\\Biology Tools\\Maxima-5.9.0\\bin\\xmaxima.exe"="C:\

\Program Files\\Biology Tools\\Maxima-5.9.0\\bin\

\xmaxima.exe: :Enabled:TclKit = Tcl + IncrTcl + Tk + MetaKit"

"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\

\javaw.exe: :Enabled:javaw"

"C:\\Program Files\\Internet\\YChat\\YChat.exe"="C:\\Program Files\

\Internet\\YChat\\YChat.exe: :Enabled:Yahoo! Chat Fix"

"C:\\WINDOWS\\system32\\msiexec.exe"="C:\\WINDOWS\\system32\

\msiexec.exe: :Enabled:Windowsr installer"

"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"="C:\

\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\

\javaw.exe: :Enabled:javaw"

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\

\Yahoo!\\Messenger\\YPager.exe: :Enabled:Yahoo! Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\

\Yahoo!\\Messenger\\YServer.exe: :Enabled:Yahoo! FT Server"

"C:\\Program Files\\Internet\\Kazaa Lite\\kazaa.core"="C:\\Program

Files\\Internet\\Kazaa Lite\\kazaa.core: :Enabled:Kazaa"

"C:\\Program Files\\Internet\\Xolox\\XoloxEXE.exe"="C:\\Program Files\

\Internet\\Xolox\\XoloxEXE.exe: :Enabled:Xolox"

"C:\\Program Files\\Internet\\Xolox\\mldonkey\\mlnet.exe"="C:\\Program

Files\\Internet\\Xolox\\mldonkey\\mlnet.exe: :Enabled:MLdonkey -

multiuser P2P daemon"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\

\Messenger\\msmsgs.exe: :Enabled:Windows Messenger"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\

\MSN Messenger\\msnmsgr.exe: :Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\

\MSN Messenger\\livecall.exe: :Enabled:Windows Live Messenger 8.1

(Phone)"

"C:\\WINDOWS\\system32\\lxdccoms.exe"="C:\\WINDOWS\\system32\

\lxdccoms.exe: :Enabled:1300 Series Server"

"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\

\uTorrent\\uTorrent.exe: :Enabled:æTorrent"

"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"="C:\

\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe: :Enabled:

"

"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"="C:\

\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe: :Enabled:

"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe: :Enabled:mad:xpsp3res.dll,-20000"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\

\Program Files\\Common Files\\AOL\\Loader\\aolload.exe: :Enabled:AOL

Loader"

"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\

\aim6.exe: :Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess

\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\

\sessmgr.exe: :enabled:mad:xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\

\MSN Messenger\\msnmsgr.exe: :Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\

\MSN Messenger\\livecall.exe: :Enabled:Windows Live Messenger 8.1

(Phone)"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe: :Enabled:mad:xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot -

Search & Destroy\SDUpdate.exe"

Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot -

Search & Destroy\SpybotSD.exe"

Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe"

Fri 4 Nov 2005 10,856 A.SH. --- "C:\WINDOWS

\system32\KGyGaAvL.sys"

Fri 17 Jun 2005 4,348 ..SH. --- "C:\Documents and Settings\All

Users\DRM\DRMv1.bak"

Mon 2 Oct 2006 50,280 ...H. --- "C:\Program Files\Common Files

\Adobe\ESD\DLMCleanup.exe"

Wed 7 May 2008 0 A..H. --- "C:\WINDOWS

\SoftwareDistribution\Download

\385cb67dda0ffd4dea8c0d990dc65796\BIT1.tmp"

Finished!

 
M

Malke

Guest
sean_in_cali@yahoo.com wrote:

<span style="color:blue">

> Hello everyone.

>

> I had the same problem as in other virus/adware/spyware except i know

> where i got it--while I was browsing a friend's myspace pictures.

>

> First the IE7 crashed and then acrobat reader open with a blank file

> called index. And then the desktop flashed and turned into red

> background with a message in the middle saying I have been infected

> with a spyware.

>

> And the link the the middle of the desktop(yes the desktop turned red

> and had a hyper link in the middle) took me to antispyspider.us/69

> website which appears to be antispyware program page.

>

> Of course I didn't enter any information on it because it's probably a

> phishing website.

>

> I managed to remove webhancer and 15 other trojans that infected my

> computer using SDFix upon booting into safemode. That seems to have

> gotten rid of most of the problem, all except one.

>

> When I run hijackthis it brings back this entry which cannot be

> deleted.

>

> O4 - HKLM..Run: [bM271f59cb] Rundll32.exe "C:WINDOWS

> system32qwfkxbss.dll",s Unknown application.

>

> I can't delete this process using hijack this and when I'm using IE7 i

> get unwated popups about malwares and spywares now.</span>

(snippage)

We don't interpret HijackThis or SDFix logs here in the MS newsgroups. It

takes a great deal of time and expertise to analyze these logs and you will

not get the help you need here.

Choose one of the specialty forums below, register, read its posting FAQ,

and post your log(s) there in the manner they request. You will generally

be asked to:

1. Download and execute HiJack This! (HJT) -

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word

wrap"

3. Download/run Deckard's System Scanner -

http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the

forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.org/downloads/hijackthis.zip

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn

http://www.bleepingcomputer.com/forums/ind...showtutorial=42 - another

tutorial

http://aumha.net/ - Click on the HijackThis forum. Read the announcement and

the stickies first .

http://www.atribune.org/forums/index.php?showforum=9

http://aumha.net/viewforum.php?f=30

http://www.bleepingcomputer.com/forums/forum22.html

http://castlecops.com/forum67.html

http://www.dslreports.com/forum/cleanup

http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html

http://gladiator-antivirus.com/forum/index.php?showforum=170

http://spywarewarrior.com/viewforum.php?f=5

http://forums.techguy.org/54-security/

Malke

--

MS-MVP

Elephant Boy Computers

www.elephantboycomputers.com

Don't Panic!

 
S

sean_in_cali@yahoo.com

Guest
How about if I rephrase the question.. .

which of the following trojans along with webhancer can cause problems

in IE7 which is the default browser on my OS? Which ever one is doing

it, I'm still getting random hijack and popup ads from various malware/

spyware companies.

Also how do I get rid of them?

C:\WINDOWS\system32\000060.exe - Deleted

C:\WINDOWS\system32\000080.exe - Deleted

C:\WINDOWS\system32\000090.exe - Deleted

C:\WINDOWS\system32\TFTP1996 - Deleted

C:\WINDOWS\system32\adult.txt - Deleted

C:\WINDOWS\system32\cmd.com - Deleted

C:\WINDOWS\system32\finance.txt - Deleted

C:\WINDOWS\system32\lt.res - Deleted

C:\WINDOWS\system32\other.txt - Deleted

C:\WINDOWS\system32\pharma.txt - Deleted

C:\WINDOWS\system32\ping.com - Deleted

C:\WINDOWS\system32\sft.res - Deleted

C:\WINDOWS\system32\sockins32.dll - Deleted

C:\WINDOWS\system32\tasklist.com - Deleted

C:\WINDOWS\system32\tracert.com - Deleted

 
K

Kayman

Guest
On Sun, 11 May 2008 23:28:02 -0700 (PDT), sean_in_cali@yahoo.com wrote:

<span style="color:blue">

> How about if I rephrase the question.. .

>

> which of the following trojans along with webhancer can cause problems

> in IE7 which is the default browser on my OS? </span>

All trojans are bad trojans.

<span style="color:blue">

> Which ever one is doing it,</span>

Immaterial, your OS is compromised that's all there is.

<span style="color:blue">

> I'm still getting random hijack and popup ads from various malware/

> spyware companies.</span>

Because you haven't got rid of the malware infestation.

<span style="color:blue">

> Also how do I get rid of them?</span>

<snip>

Go through these general malware removal steps systematically -

http://www.elephantboycomputers.com/page2....emoving_Malware

If these steps don't remove the malware then you should reformat the HDD

and re-install the Operaring System.

 
M

Malke

Guest
sean_in_cali@yahoo.com wrote:

<span style="color:blue">

> How about if I rephrase the question.. .

>

> which of the following trojans along with webhancer can cause problems

> in IE7 which is the default browser on my OS?</span>

All of them and the other trojans with which your computer is still

currently infected.

<span style="color:blue">

> Which ever one is doing

> it, I'm still getting random hijack and popup ads from various malware/

> spyware companies.

>

> Also how do I get rid of them?</span>

At this point, get guided help at one of the specialty forums I already gave

you. The only alternative to going through the malware removal tediously

and systematically with online help from one of these forums and taking the

machine to a real professional (who may need to wipe/clean-install anyway)

is to back up your data and do a clean install of Windows. It's your call.

http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To

http://www.elephantboycomputers.com/page2....talling_Windows - What

you will need on-hand

Malke

--

MS-MVP

Elephant Boy Computers

www.elephantboycomputers.com

Don't Panic!

 
R

R W

Guest
Antispyspider.us

If the Antispyspider.us website redirect is still occurring you might want to try cleaning your comp with Anti-malware by Malwarebytes; Spybot and Ad-aware have trouble eliminating some of the redirectors.

 
You must log in or register to reply here.
Top Bottom