~Yesiammanu
Spybot-FB Worm
#16
Posted 20 September 2006 - 10:33 PM
~Yesiammanu
#17
Posted 26 September 2006 - 05:20 PM
You need to clean out outlook as it has some e-mails that have viral attachments
Run HijackThis -> Config -> Misc Tools -> Open hosts file manager -> Open in notepad
Please, post back the log from it
Sorry for the delay I overlooked your post
#18
Posted 28 September 2006 - 08:37 PM
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
~Yesiammanu
#19
Posted 29 September 2006 - 08:18 AM
C:\WINDOWS\system32\drivers\etc\hosts.bak
Can you navigate to that file and open it with notepad and post back the contents of it please,
its a back up and I m curious whats in it other then that it seems everything else is cleared up, how is the machine running ?
BTW I m heading off for the weekend so you wont hear back from me till Monday
#20
Posted 30 September 2006 - 07:07 PM
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 update.nprotect.com
127.0.0.1 update.nprotect.net
127.0.0.1 guard.gunbound.net
Thats the backup one
And heres the orig.
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Freaky.
~Yesiammanu
#21
Posted 01 October 2006 - 07:30 PM
How is it running ?
Please use the following suggestion to help prevent reinfection
Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster
Keep AD-Aware. and Spybot 1.4 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,
For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan
Be sure and give the Temp folders a cleaning out now and then as well, A handy tool to do this
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Remeber to Check Windows for updates
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.
To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
#22
Posted 02 October 2006 - 11:21 AM
Because I'm still getting bluescreen errors
Also, my internet connection is DEFINATELY not what it used to be 3 months ago.
My ip keeps changing!! =(
http://www.geekstogo...s...=120298&hl=I already followed some removal instructions here, but I'm not exactly sure they worked, because the process still came up. Wdfmnger is a trojan + rootkit instructions please?
The process no longer comes up, but... yeah
Also, I looked on systematic, and it said Rengaurd (For C&C renegade) installs the virus. Should I uninstall renegade?
~Yesiammanu
P.S. The adaware download link is broken
Edited by yesiammanu, 02 October 2006 - 11:24 AM.
#23
Posted 02 October 2006 - 05:29 PM
Also, I looked on systematic, and it said Rengaurd (For C&C renegade) installs the virus. Should I uninstall renegade?
Go ahead and remove it and see if there is a difference
#24
Posted 02 October 2006 - 06:35 PM
Yay
Spyware doctor report
Infection Name Location Risk
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG## High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##ConsoleTracingMask High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##EnableConsoleTracing High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##EnableFileTracing High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##FileDirectory High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##FileTracingMask High
Trojan.Downloader.AEU HKLM\SOFTWARE\Microsoft\Tracing\FWCFG##MaxFileSize High
~Yesiammanu
Edited by yesiammanu, 02 October 2006 - 06:40 PM.
#25
Posted 02 October 2006 - 06:49 PM
Please download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
- Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run ewido and update the definition files.
- On the main screen select the icon "Update" then select the "Update now" link.[list]
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
[*]Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
- Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess: - Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following: - If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
- Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
#26
Posted 02 October 2006 - 08:49 PM
1. I keep hearing a beeping sound
2. I caught a glimpse of Microsoft Outlook
3. Constant "spikes" when doing things
I'll scan with housecall right now, I can't go into safemode because I'm writing up some HW
That brings up another interesting question, can I go into safe mode again?
~Yesiammanu
Edited by yesiammanu, 02 October 2006 - 08:50 PM.
#27
Posted 03 October 2006 - 06:12 PM
#28
Posted 03 October 2006 - 08:26 PM
I have wuauclt.exe, but I'm a Windows XP professional user.
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 21:01 06-10-03
+ Scan result:
C:\Documents and Settings\Admin\Desktop\blah\Aimbot.rar/Aimbot.exe -> Backdoor.Dragonbot.1 : No action taken.
C:\Documents and Settings\Admin\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Admin\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Admin\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
::Report end
~Yesiammanu
Edited by yesiammanu, 03 October 2006 - 10:09 PM.
#29
Posted 04 October 2006 - 05:37 PM
#30
Posted 10 October 2006 - 04:39 PM
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:08 06-10-10
+ Scan result:
C:\Documents and Settings\Admin\Desktop\blah\Aimbot.rar/Aimbot.exe -> Backdoor.Dragonbot.1 : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Desktop\Torrent patch\EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).
::Report end
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users