also having problems with virus/malware/spywares

  • Thread starter sean_in_cali@yahoo.com
  • Start date
S

sean_in_cali@yahoo.com

Hello everyone.

I had the same problem as in other virus/adware/spyware except i know
where i got it--while I was browsing a friend's myspace pictures.

First the IE7 crashed and then acrobat reader open with a blank file
called index. And then the desktop flashed and turned into red
background with a message in the middle saying I have been infected
with a spyware.

And the link the the middle of the desktop(yes the desktop turned red
and had a hyper link in the middle) took me to antispyspider.us/69
website which appears to be antispyware program page.

Of course I didn't enter any information on it because it's probably a
phishing website.

I managed to remove webhancer and 15 other trojans that infected my
computer using SDFix upon booting into safemode. That seems to have
gotten rid of most of the problem, all except one.

When I run hijackthis it brings back this entry which cannot be
deleted.

O4 - HKLM\..\Run: [BM271f59cb] Rundll32.exe "C:\WINDOWS
\system32\qwfkxbss.dll",s Unknown application.

I can't delete this process using hijack this and when I'm using IE7 i
get unwated popups about malwares and spywares now.

When i did the SDFix it saved a log of deleted trojans.


C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000080.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\system32\TFTP1996 - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\cmd.com - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\ping.com - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\sockins32.dll - Deleted
C:\WINDOWS\system32\tasklist.com - Deleted
C:\WINDOWS\system32\tracert.com - Deleted

Is there any that still might be around and causing this problem?
also my computer is losing focus when i'm typing on website forums.
I'll type but some reason the letter do not get typed. itlmost as if
the focus of the application is shifting invisibly back and forth.
very odd...,






Below is the complete SDFix log file.




SDFix: Version 1.181
Run by xxxxx on Sat 05/10/2008 at 11:23 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Name :
MsSecurity1.209.4

Path :
C:\WINDOWS\b2new.exe service

MsSecurity1.209.4 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000080.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\system32\TFTP1996 - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\cmd.com - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\ping.com - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\sockins32.dll - Deleted
C:\WINDOWS\system32\tasklist.com - Deleted
C:\WINDOWS\system32\tracert.com - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 23:43:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg
\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:43,ae,5c,4b,a2,11,7a,79,64,44,6d,0a,b4,ab,ad,9c,cd,
49,96,9d,c9,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:43,ae,5c,4b,a2,11,7a,79,64,44,6d,0a,b4,ab,ad,9c,cd,
49,96,9d,c9,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess
\parameters\firewallpolicy\standardprofile\authorizedapplications
\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\
\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\Biology Tools\\Maxima-5.9.0\\bin\\xmaxima.exe"="C:\
\Program Files\\Biology Tools\\Maxima-5.9.0\\bin\
\xmaxima.exe:*:Enabled:TclKit = Tcl + IncrTcl + Tk + MetaKit"
"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\
\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\Internet\\YChat\\YChat.exe"="C:\\Program Files\
\Internet\\YChat\\YChat.exe:*:Enabled:Yahoo! Chat Fix"
"C:\\WINDOWS\\system32\\msiexec.exe"="C:\\WINDOWS\\system32\
\msiexec.exe:*:Enabled:Windowsr installer"
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"="C:\
\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\
\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\
\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\
\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Internet\\Kazaa Lite\\kazaa.core"="C:\\Program
Files\\Internet\\Kazaa Lite\\kazaa.core:*:Enabled:Kazaa"
"C:\\Program Files\\Internet\\Xolox\\XoloxEXE.exe"="C:\\Program Files\
\Internet\\Xolox\\XoloxEXE.exe:*:Enabled:Xolox"
"C:\\Program Files\\Internet\\Xolox\\mldonkey\\mlnet.exe"="C:\\Program
Files\\Internet\\Xolox\\mldonkey\\mlnet.exe:*:Enabled:MLdonkey -
multiuser P2P daemon"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\
\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\
\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\
\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1
(Phone)"
"C:\\WINDOWS\\system32\\lxdccoms.exe"="C:\\WINDOWS\\system32\
\lxdccoms.exe:*:Enabled:1300 Series Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\
\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"="C:\
\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe:*:Enabled:
"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"="C:\
\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe:*:Enabled:
"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\
\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL
Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\
\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess
\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\
\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\
\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\
\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1
(Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot -
Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot -
Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot -
Search & Destroy\TeaTimer.exe"
Fri 4 Nov 2005 10,856 A.SH. --- "C:\WINDOWS
\system32\KGyGaAvL.sys"
Fri 17 Jun 2005 4,348 ..SH. --- "C:\Documents and Settings\All
Users\DRM\DRMv1.bak"
Mon 2 Oct 2006 50,280 ...H. --- "C:\Program Files\Common Files
\Adobe\ESD\DLMCleanup.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS
\SoftwareDistribution\Download
\385cb67dda0ffd4dea8c0d990dc65796\BIT1.tmp"

Finished!
 
M

Malke

sean_in_cali@yahoo.com wrote:

> Hello everyone.
>
> I had the same problem as in other virus/adware/spyware except i know
> where i got it--while I was browsing a friend's myspace pictures.
>
> First the IE7 crashed and then acrobat reader open with a blank file
> called index. And then the desktop flashed and turned into red
> background with a message in the middle saying I have been infected
> with a spyware.
>
> And the link the the middle of the desktop(yes the desktop turned red
> and had a hyper link in the middle) took me to antispyspider.us/69
> website which appears to be antispyware program page.
>
> Of course I didn't enter any information on it because it's probably a
> phishing website.
>
> I managed to remove webhancer and 15 other trojans that infected my
> computer using SDFix upon booting into safemode. That seems to have
> gotten rid of most of the problem, all except one.
>
> When I run hijackthis it brings back this entry which cannot be
> deleted.
>
> O4 - HKLM\..\Run: [BM271f59cb] Rundll32.exe "C:\WINDOWS
> \system32\qwfkxbss.dll",s Unknown application.
>
> I can't delete this process using hijack this and when I'm using IE7 i
> get unwated popups about malwares and spywares now.


(snippage)

We don't interpret HijackThis or SDFix logs here in the MS newsgroups. It
takes a great deal of time and expertise to analyze these logs and you will
not get the help you need here.

Choose one of the specialty forums below, register, read its posting FAQ,
and post your log(s) there in the manner they request. You will generally
be asked to:

1. Download and execute HiJack This! (HJT) -
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe Format --> uncheck "Word
wrap"

3. Download/run Deckard's System Scanner -
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
 
S

sean_in_cali@yahoo.com

How about if I rephrase the question.. .

which of the following trojans along with webhancer can cause problems
in IE7 which is the default browser on my OS? Which ever one is doing
it, I'm still getting random hijack and popup ads from various malware/
spyware companies.

Also how do I get rid of them?


C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000080.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\system32\TFTP1996 - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\cmd.com - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\ping.com - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\sockins32.dll - Deleted
C:\WINDOWS\system32\tasklist.com - Deleted
C:\WINDOWS\system32\tracert.com - Deleted
 
K

Kayman

On Sun, 11 May 2008 23:28:02 -0700 (PDT), sean_in_cali@yahoo.com wrote:

> How about if I rephrase the question.. .
>
> which of the following trojans along with webhancer can cause problems
> in IE7 which is the default browser on my OS?


All trojans are bad trojans.

> Which ever one is doing it,


Immaterial, your OS is compromised that's all there is.

> I'm still getting random hijack and popup ads from various malware/
> spyware companies.


Because you haven't got rid of the malware infestation.

> Also how do I get rid of them?


<snip>

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

If these steps don't remove the malware then you should reformat the HDD
and re-install the Operaring System.
 
M

Malke

sean_in_cali@yahoo.com wrote:

> How about if I rephrase the question.. .
>
> which of the following trojans along with webhancer can cause problems
> in IE7 which is the default browser on my OS?


All of them and the other trojans with which your computer is still
currently infected.

> Which ever one is doing
> it, I'm still getting random hijack and popup ads from various malware/
> spyware companies.
>
> Also how do I get rid of them?


At this point, get guided help at one of the specialty forums I already gave
you. The only alternative to going through the malware removal tediously
and systematically with online help from one of these forums and taking the
machine to a real professional (who may need to wipe/clean-install anyway)
is to back up your data and do a clean install of Windows. It's your call.

http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
 
R

R W

Antispyspider.us

If the Antispyspider.us website redirect is still occurring you might want to try cleaning your comp with Anti-malware by Malwarebytes Spybot and Ad-aware have trouble eliminating some of the redirectors.
 
Back
Top Bottom