[Michelle]

Empty your recycle bin also!

[Advertisements]

aye, i had deleted C:\Windows\popupers.exe

C:\Windows\System32\intmonp.exe
C:\Windows\popupers.exe

are both gone.

"Empty your recycle bin also!"
done!

Edited by H8sDyFuca, 16 April 2005 - 02:52 AM.

[H8sDyFuca]

aye, i had deleted C:\Windows\popupers.exe

C:\Windows\System32\intmonp.exe
C:\Windows\popupers.exe

are both gone.

"Empty your recycle bin also!"
done!

Edited by H8sDyFuca, 16 April 2005 - 02:52 AM.

[Michelle]

As I said earlier, popupers will regenerate itself (in the registry) so please restart your computer

[H8sDyFuca]

"Go ahead and restart your computer, because I know one of the files wasn't deleted previously because I gave you the wrong file path. After you restart they should both be gone."

i did!

[Michelle]

You restarted after running Killbox the 2nd time? I never saw you leave the thread..

[H8sDyFuca]

yup, takes less then 1 minute to restart, unless you are constantly clicking refresh, you wouldnt notice me gone ;P

adaware and the cleaner have picked this up before, they arn't atm.

[Michelle]

Ok, I think that's all my brain can handle for tonight One last thing I want you to do:

I need you to download MWav

This scan takes around 3 hours to finish when set to scan everything. I need you to run MWav, put a check next to below items before scanning:

*Memory
*Startup Folders
*Drive - All Local Drives
*Folder - then click "browse" to change the directory to C: (default is C:\Windows)
*Registry
*System Folders
*Services
*Include Sub-Directory
*Scan All Files

Please make sure ALL of these are checked, then press the scan button. This will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run.

Highlight the portion of the scan that lists infected items and hold CTRL + C to Copy then paste it here. The whole log with be extremely big so there is no way to copy the whole thing. I just need the infected items list.

And if this scan finds popupers you're in big trouble haha just kidding

I'll be back later in the morning (it's umm 3 here right now) to help you finish cleaning your system. Stay off the Internet as much as possible!

[H8sDyFuca]

will do! i'll post the infected files log tomorrow. good night.

it's scanning now. seeing as it has a popup that stops the search each time it detects something, i will stay up and monitor it.

edit- guess there is only a popup the first time it finds something. has found 5 more without stoping. think i will go to bed.

Edited by H8sDyFuca, 16 April 2005 - 03:21 AM.

[Michelle]

Good night!

[H8sDyFuca]

well it only took 44minutes Sat Apr 16 02:55:22 2005 => Scan Completed.

here is the log-

File C:\WINDOWS\tmp.hta infected by "Trojan-Downloader.VBS.Psyme.at" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\EVILAC~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\0527K1UN\actalert[1].exe infected by "Trojan-Downloader.Win32.Dyfuca.dp" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\EVILAC~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\EP3W9W7Y\winupdate96156828[1].exe infected by "Trojan-Downloader.Win32.Small.ait" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\EVILAC~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KTI3W5EV\5e21caee45aa8cb9c1434667dbbe0548[2].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\EVILAC~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KTI3W5EV\bridge-c282[1].cab infected by "not-a-virus:AdWare.WinAD.n" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\0527K1UN\actalert[1].exe infected by "Trojan-Downloader.Win32.Dyfuca.dp" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\EP3W9W7Y\winupdate96156828[1].exe infected by "Trojan-Downloader.Win32.Small.ait" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTI3W5EV\5e21caee45aa8cb9c1434667dbbe0548[2].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTI3W5EV\bridge-c282[1].cab infected by "not-a-virus:AdWare.WinAD.n" Virus. Action Taken: No Action Taken.

File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.

File C:\WINDOWS\tmp.hta infected by "Trojan-Downloader.VBS.Psyme.at" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\0527K1UN\actalert[1].exe infected by "Trojan-Downloader.Win32.Dyfuca.dp" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\EP3W9W7Y\winupdate96156828[1].exe infected by "Trojan-Downloader.Win32.Small.ait" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTI3W5EV\5e21caee45aa8cb9c1434667dbbe0548[2].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Evil Acid\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTI3W5EV\bridge-c282[1].cab infected by "not-a-virus:AdWare.WinAD.n" Virus. Action Taken: No Action Taken.

File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.

File C:\WINDOWS\tmp.hta infected by "Trojan-Downloader.VBS.Psyme.at" Virus. Action Taken: No Action Taken.

Note- added spaces to make it easier to read. i noticed there are dupelicate entries, not sure why.

[Michelle]

Did you download, install, and run Cleanup! from my previous post? Cleanup clears temporary internet files and it'll clear out those viruses hiding in your temporary internet files too. If you did run cleanup, this time reboot into safe mode then run cleanup.

*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file path listed below:

C:\WINDOWS\tmp.hta

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the YES button so that your computer restarts.

Then, for good measure, go into your Windows folder to see if you can find tmp.hta In the unlikely event that it's there, delete it!

Post a new HiJackThis log.

Edited by bananafanafo, 16 April 2005 - 08:55 AM.

[H8sDyFuca]

C:\WINDOWS\tmp.hta
successfully deleted. Cleanup ran in safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 3:24:41 PM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Evil Acid\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: trillian.lnk = ?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

looks like we got rid of it. only thing left is my wallpaper. seeing as that was changed in my registry, do you think a reinstall of windows over my currect install would restore those changed values?

Edited by H8sDyFuca, 16 April 2005 - 04:29 PM.

[Michelle]

The infection you have seems to be running rampant right now! Last night was the first time I've seen this one (your system), then all of sudden today there are a ton of topics listed with this infection! Anyway, this is what I need:

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
Here is the information I need:

1.)Is there a folder called "System" inside the Policies folder (it'll be on the right side)

2.)If there is a "System" folder, doubleclick it to enter the folder.

Click on the first item in the list to highlight it then hold down shift, and press your down arrow key to highlight everything. Press CTRL + C to copy this information. Paste it here.

[H8sDyFuca]

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\(default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispAppearancePage
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispBackgroundPage
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\Wallpaper
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\WallpaperStyle

[Michelle]

There we go!!

Paste this into registrar lite again:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Right click on the System folder that you just went into and go to "Delete".

Reboot your computer. Let me know if you can now access the tabs on your Desktop properties!