[yesiammanu]

Kaspersky added, no files removed (Was there an option? I didn't see one )

~Yesiammanu

Attached Files

•  geeks2go.html   39.8KB   18 downloads

[Advertisements]

Nope no option to remove files,

You need to clean out outlook as it has some e-mails that have viral attachments

Run HijackThis -> Config -> Misc Tools -> Open hosts file manager -> Open in notepad

Please, post back the log from it


Sorry for the delay I overlooked your post

[don77]

Nope no option to remove files,

You need to clean out outlook as it has some e-mails that have viral attachments

Run HijackThis -> Config -> Misc Tools -> Open hosts file manager -> Open in notepad

Please, post back the log from it


Sorry for the delay I overlooked your post

[yesiammanu]

Sorry, I forgot I had a trojan (Lol! I'm an idiot)

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

~Yesiammanu

[don77]

C:\WINDOWS\system32\drivers\etc\hosts.bak

Can you navigate to that file and open it with notepad and post back the contents of it please,

its a back up and I m curious whats in it other then that it seems everything else is cleared up, how is the machine running ?


BTW I m heading off for the weekend so you wont hear back from me till Monday

[yesiammanu]

<3 you Don.

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 update.nprotect.com
127.0.0.1 update.nprotect.net
127.0.0.1 guard.gunbound.net

Thats the backup one




And heres the orig.

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Freaky.

~Yesiammanu

[don77]

Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection


Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep AD-Aware. and Spybot 1.4 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, A handy tool to do this
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Remeber to Check Windows for updates

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

[yesiammanu]

What about that hacker I was telling you about?

Because I'm still getting bluescreen errors

Also, my internet connection is DEFINATELY not what it used to be 3 months ago.

My ip keeps changing!! =(

I already followed some removal instructions here, but I'm not exactly sure they worked, because the process still came up. Wdfmnger is a trojan + rootkit instructions please?

http://www.geekstogo...s...=120298&hl=
The process no longer comes up, but... yeah

Also, I looked on systematic, and it said Rengaurd (For C&C renegade) installs the virus. Should I uninstall renegade?

~Yesiammanu

P.S. The adaware download link is broken

Edited by yesiammanu, 02 October 2006 - 11:24 AM.

[don77]

Also, I looked on systematic, and it said Rengaurd (For C&C renegade) installs the virus. Should I uninstall renegade?

Go ahead and remove it and see if there is a difference

[yesiammanu]

I deleted it, and got 1 gb back of my memory

Yay

Spyware doctor report

Infection Name Location Risk
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG## High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##ConsoleTracingMask High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##EnableConsoleTracing High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##EnableFileTracing High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##FileDirectory High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##FileTracingMask High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##MaxFileSize High


~Yesiammanu

Edited by yesiammanu, 02 October 2006 - 06:40 PM.

[don77]

Lets see if Ewido shows us anything

Please download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.[list]
• Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
[*]Under "Reports"

• Select "Automatically generate report after every scan"
• Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
• Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

[yesiammanu]

Ok now I'm sure I still have the worm because

1. I keep hearing a beeping sound
2. I caught a glimpse of Microsoft Outlook
3. Constant "spikes" when doing things

I'll scan with housecall right now, I can't go into safemode because I'm writing up some HW

That brings up another interesting question, can I go into safe mode again?

~Yesiammanu

Edited by yesiammanu, 02 October 2006 - 08:50 PM.

[don77]

Please run Ewido and post back the log from it

[yesiammanu]

I'm running a scan with Ewido now.

I have wuauclt.exe, but I'm a Windows XP professional user.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:01 06-10-03

+ Scan result:



C:\Documents and Settings\Admin\Desktop\blah\Aimbot.rar/Aimbot.exe -> Backdoor.Dragonbot.1 : No action taken.
C:\Documents and Settings\Admin\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Admin\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end


~Yesiammanu

Edited by yesiammanu, 03 October 2006 - 10:09 PM.

[don77]

You need to run Ewido again and this time when it has completed below the window it shows you what it has found you need to choose Quaratine as the applied action, then save the log and post it back for me please

[yesiammanu]

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:08 06-10-10

+ Scan result:



C:\Documents and Settings\Admin\Desktop\blah\Aimbot.rar/Aimbot.exe -> Backdoor.Dragonbot.1 : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Desktop\Torrent patch\EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).


::Report end