Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Desktop and IE Settings Changed by Hijacker


  • Please log in to reply

#16
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi ThaWacky, Sorry for the later reply,

Need you to open IE can't get the full name of some of the favorites in IE due to the filters on this site,

Check your favorites for anything you don't regconize and delete them Empty the recycle bin after as well,

Also
Make sure you can view all Hidden Files/Folders

Please double-click on My Computer and locate the file " F2309_Stealth.exe". Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.
  • 0

Advertisements


#17
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I found quite a few bookmarks that weren't suppose to be there, deleted them and emptied my recycle bin.

I can view Hidden Folders. I did a complete system search and it didn't find the F2309_Stealth.exe file.
  • 0

#18
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Thawacky,

Open killbox and paste the following to clipboard

{D01E8C08-46DD-4143-AF15-82893DE7FCD2}\Data.Cab[F2309_Stealth.exe]

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Restart the computer, Run a scan with Active and post back the results from it please
  • 0

#19
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I got this error when I tried to perform the Killbox operation with the line that you provided: "PendingFileRenameOperations Registry Data has been Removed by External Process!"
The only option was to click the "OK" button.

HERE IS THE PANDA ACTIVE SCAN LOG:

Incident Status Location

Adware:Adware/PortalScan No disinfected Windows Registry
Possible Virus. No disinfected C:\WINDOWS\Downloaded Installations\{D01E8C08-46DD-4143-AF15-82893DE7FCD2}\Data.Cab[F2309_Stealth.exe]
  • 0

#20
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Did you reboot manually after running killbox ?

If not please do so again, Let us know how you make out
  • 0

#21
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
The results you see are after I pressed "OK" on the error message I got and did a manual reboot.
  • 0

#22
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi sorry again for the late reply,
Could you post back a fresh HJT log please
  • 0

#23
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:41 AM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\PopUp Killer\PopUpKiller.exe
C:\Documents and Settings\The Dee\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#24
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
I m sorry I just noticed I didn't copy the entire path :tazz:

C:\WINDOWS\Downloaded Installations\{D01E8C08-46DD-4143-AF15-82893DE7FCD2}\Data.Cab[F2309_Stealth.exe]


Try again with killbox please,

Rescan with Active and let us know how you make out please,,,
  • 0

#25
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hey don77,

I used the new path and Killbox gave me the same error message as before.

I have a question as well, when we are done with cleaning out my system, should I download the Windows Service Pack 2 as well?
  • 0

Advertisements


#26
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Once we get you cleaned up you can update,

did you run another scan with Active and if so is it still finding it ?

Please set your system to show
all files; please see here if you're unsure how to do this.

See if you can do a manual search for the file, If found could you post back the info on it please,

Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.
  • 0

#27
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hey don77,

I went to the C:\WINDOWS\Downloaded Installations\{D01E8C08-46DD-4143-AF15-82893DE7FCD2} folder and here is what I found:

1 Installation Program - Labeled "Cache, Cookies and Windows Cleaner"(I don't remember downloading this program.)


Summary
Subject - Cache, Cookie and Windows Cleaner
Category - Blank
Keywords - Fully clean your computer
Comments - Enter commnts regarding this installation database here.
Source - Blank
Author - MoleculeSoft Inc.
Revision Number - {D01E8C08-46DD-4143-AF15-82893DE7FCD2}


1 WinZip File - Labeled "Data" (I don't know where this came from either.)


Summary
All fields contain no description.
  • 0

#28
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
It looks to be a shareware program after some quick research on it, Seeing as you found it go ahead and delete it, I had you install cleanup! which will due fine for you,
The other winzip you should be fine to delete as well

Run a new scan with Active and let us know how it goes,
  • 0

#29
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
It's been a busy week don77, sorry for the delay.

Here is the Panda Active Scan Log:


Incident Status Location

Adware:adware/portalscan No disinfected HKEY_CLASSES_ROOT\.TE
Possible Virus. No disinfected C:\Program Files\The Cleaner\MooLive.exe

I know what MooLive is, I downloaded it when I first got infected. I don't know what th first listing is though.
  • 0

#30
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP