Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bt2net and PSGuard Virus [RESOLVED]


  • This topic is locked This topic is locked

#61
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Spybot nabbed klogini then can you send me all of the others please.
  • 0

Advertisements


#62
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Ok, sent, and do you know anything about rundll32.exe by chance?
  • 0

#63
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Bob you can go ahead and delete all of those files that i asked you to send you know the sys1234.exe's they are a variant of Win32/StartPage.AAL
  • 0

#64
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
rundll depending on location is a legit and crucial part of windows.
  • 0

#65
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Bob you can go ahead and delete all of those files that i asked you to send you know the sys1234.exe's they are a variant of Win32/StartPage.AAL

View Post

Just the ones I sent, or all of the ones it detected?
  • 0

#66
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
all that were detected.

While you are at it lets run this online virus scanner

http://www.kaspersky...739400#betatest
  • 0

#67
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
The link does not work for me?
  • 0

#68
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
What happens?
  • 0

#69
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
It says this page cannot be displayed?
  • 0

#70
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Pandascan online also found these, and I was wondering how to remove them?

Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/psguard No disinfected HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437D-B334-DEB7EB4982A3}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}

EDIT: Online Scanner works now :tazz: Scanning in progress

Edited by .:bob schmo:., 17 July 2005 - 04:20 PM.

  • 0

Advertisements


#71
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Wow, yeah, its a triple post, but whatever, here are the results of the scan (a lot of them are from the zip files that I sent you through outlook):

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Sunday, July 17, 2005 17:40:05
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/07/2005
Kaspersky Anti-Virus database records: 138527
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 103439
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 6285 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Eric\.jpi_cache\jar\1.0\archive.jar-234377ea-54e4fd53.zip/Gagaga.class Infected: Trojan-Dropper.Java.Beyond.g
C:\Documents and Settings\Eric\.jpi_cache\jar\1.0\archive.jar-234377ea-54e4fd53.zip/Vbagx.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Eric\.jpi_cache\jar\1.0\archive.jar-234377ea-54e4fd53.zip Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/15 Jul 2005 21:59 to 'submit@atribune.org':avpx32 ZIP File Upon /avpx.zip/avpx32.sys Infected: Backdoor.Win32.Haxdoor.do
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/15 Jul 2005 21:59 to 'submit@atribune.org':avpx32 ZIP File Upon /avpx.zip Infected: Backdoor.Win32.Haxdoor.do
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Backdoor.Win32.Haxdoor.do
C:\System Volume Information\_restore{6BA898BA-792D-4C66-ACB5-A3D261135E07}\RP208\A0128168.sys Infected: Backdoor.Win32.Haxdoor.do

Scan process completed.


Is it safe for me to delete all the files found in C:\Documents and Settings\Eric\.jpi_cache\jar\1.0 since that is where most of the viruses were located?

Edited by .:bob schmo:., 17 July 2005 - 06:44 PM.

  • 0

#72
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Sorry bob for some reason my tracking wasnt working. Yes that is safe to do.
  • 0

#73
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Any Idea on how to get rid of these?

C:\System Volume Information\_restore{6BA898BA-792D-4C66-ACB5-A3D261135E07}\RP208\A0128168.sys Infected: Backdoor.Win32.Haxdoor.do


Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/psguard No disinfected HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437D-B334-DEB7EB4982A3}
Adware:adware/brilliantdigital No disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
  • 0

#74
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Copy the text from the following quotebox and save it as fix.reg and save as type all files.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET]

[-HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437D-B334-DEB7EB4982A3}]

[-HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]


Next dobleclick the saved fix.reg and merge it with the registry.

Next click Start>All Programs> Accessories> System Tools> System Restore this will bring upp the system restore window On the left half of the page will be a link for system restore settings click it and turn off system restore. Reboot then follow the same steps but this time turn system restore on
  • 0

#75
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
While your at it bob lets give this tool a run
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
===================================================
HijackThis entries here if needed. Delete any other malware files not associated to the smitfraud variants and SpySherriff.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP