Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

infected computer [CLOSED]


  • This topic is locked This topic is locked

#16
russell146

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
explore1 = 108 KB.

I think explorer = 981 KB



Service load: 0% 100%

File: explore1.exe_
Status: INFECTED/MALWARE
MD5 a22176e46d043c4eb8f0394a71b95166
Packers detected: UPX
Scanner results
AntiVir Found TR/SecondThought.BI
ArcaVir Found Trojan.Secondthought.Bi
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Secondthought.BI
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found W32/SecondTh.AR
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.SecondThought.bi
NOD32 Found nothing
Norman Virus Control Found W32/2ndThought.CB
UNA Found Trojan.Win32.SecondThought
VBA32 Found nothing



Service load: 0% 100%

File: explorer.exe_
Status: OK
MD5 a82b28bfc2e4455fe43022a498c0ef0a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
  • 0

Advertisements


#17
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mtnkqgqs]

[-HKEY_CLASSES_ROOT\CLSID\{f98c1bbe-3f19-47c0-8b6d-007ce18f785c}]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"olejte"=-
"olejte.exe"=-
"rhgr.exe"=-
"tkaadbnq.exe"=-
"tqdua.exe"=-
"blcci.exe"=-
"wsogeu.exe"=-
"lsdfg.exe"=-
"qnrgbqxu.exe"=-
"coetunn.exe"=-
"obsgsds.exe"=-
"aohwt.exe"=-
"xjbrqkg.exe"=-
"teenph.exe"=-


Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpkc.exe
C:\WINDOWS\SYSTEM32\S4GDDK.EXE
C:\DOCUMENTS AND SETTINGS\CHRIRUSS\LOCAL SETTINGS\TEMP\pi.sys
C:\DOCUMENTS AND SETTINGS\CHRIRUSS\FAVORITES\SPORTS\Auto racing.url
C:\WINDOWS\SYSTEM32\AUNPS2.dll
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\SYSTEM32\Free Cell Phone.ico
C:\WINDOWS\SYSTEM32\maxd1.exe
C:\WINDOWS\SYSTEM32\newdial.exe
C:\WINDOWS\SYSTEM32\SWLAD1.dll
C:\WINDOWS\SYSTEM32\tibs.exe
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\SYSTEM32\WinNB57.dll
C:\WINDOWS\LASTGOOD\INF\farmmext.inf
C:\WINDOWS\LASTGOOD\INF\payload2.inf
C:\DOCUMENTS AND SETTINGS\CHRIRUSS\APPLICATION DATA\Sskcwrd.dll
C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\Cheap Viagra.url
C:\WINDOWS\INF\dm.inf
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\kl.exe
C:\WINDOWS\ms2.exe
C:\WINDOWS\tool2.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpkc.exe
C:\Documents and Settings\ChriRuss\Local Settings\Temp\F7.tmp
C:\WINDOWS\hammer.exe
C:\WINDOWS\SYSTEM32\explore1.exe
C:\WINDOWS\System32\eonkb.dll
C:\WINDOWS\system32\conres.cpl
C:\WINDOWS\Bpwzcvwazju.gpo
C:\WINDOWS\Brhzmkhbm.jag
C:\WINDOWS\CFindUninst.exe
C:\WINDOWS\Ctxyhsjoyq.efb
C:\WINDOWS\Dulroovb.rro
C:\WINDOWS\Ivukipqckb.ysz
C:\WINDOWS\ms1.exe
C:\WINDOWS\Rdomccq.atw
C:\WINDOWS\Qblciowin.vfs
C:\WINDOWS\ru.exe
C:\WINDOWS\SNDQDLL.EXE
C:\WINDOWS\SYSTEM32\1800414.dll
C:\WINDOWS\SYSTEM32\AUNPS2.dll
C:\WINDOWS\SYSTEM32\better0503.dll
C:\WINDOWS\SYSTEM32\blizzard.dll
C:\WINDOWS\SYSTEM32\csmrepl.dll
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\SYSTEM32\delfin0414.dll
C:\WINDOWS\SYSTEM32\dx32cxujy.exe
C:\WINDOWS\SYSTEM32\fkjdgdg.dll
C:\WINDOWS\SYSTEM32\init32m.exe
C:\WINDOWS\SYSTEM32\kydsl1.dll
C:\WINDOWS\SYSTEM32\SWsBwsls.exe
C:\WINDOWS\SYSTEM32\tibs.exe
C:\WINDOWS\SYSTEM32\vxgame1.exe
C:\WINDOWS\SYSTEM32\vxgame3.exe
C:\WINDOWS\SYSTEM32\vxgame4.exe
C:\WINDOWS\SYSTEM32\vxgame6.exe
C:\WINDOWS\SYSTEM32\vxgamet1.exe
C:\WINDOWS\SYSTEM32\vxgamet2.exe
C:\WINDOWS\SYSTEM32\vxh8jkdq1.exe
C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe
C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe
C:\WINDOWS\SYSTEM32\vxh8jkdq7.exe
C:\WINDOWS\SYSTEM32\vxh8jkdq8.exe
C:\WINDOWS\system32\d?xplore.exe
C:\Documents and Settings\ChriRuss\Application Data\Sskcwrd.dll
C:\Documents and Settings\ChriRuss\Application Data\Sskknwrd.dll
C:\WINDOWS\System32\s4gddk.exe
C:\WINDOWS\System32\olejte.exe
C:\WINDOWS\system\rhgr.exe
C:\WINDOWS\system\tkaadbnq.exe
C:\WINDOWS\system\tqdua.exe
C:\WINDOWS\system\blcci.exe
C:\WINDOWS\system\wsogeu.exe
C:\WINDOWS\system\lsdfg.exe
C:\WINDOWS\system\qnrgbqxu.exe
C:\WINDOWS\system\coetunn.exe
C:\WINDOWS\system\obsgsds.exe
C:\WINDOWS\system\aohwt.exe
C:\WINDOWS\system\xjbrqkg.exe
C:\WINDOWS\system\teenph.exe


As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"


Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\s4gddk.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Delete the following folders -

C:\PROGRAM FILES\TopConverting
C:\PROGRAM FILES\VBouncer
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\SYSTEM32\Newmsrdk
C:\WINDOWS\SYSTEM32\nsvsvc
C:\DOCUMENTS AND SETTINGS\CHRIRUSS\FAVORITES\Gambling
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
C:\Program Files\Common Files\qikz
C:\Documents and Settings\All Users\Application Data\msw



Restart back in Normal Mode and Post a fresh HijackThis log!
  • 0

#18
russell146

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Did everything you suggested - everything went smoothly.

Logfile of HijackThis v1.99.1
Scan saved at 2:25:40 PM, on 8/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\nod32cc.exe
C:\WINDOWS\System32\nod32m2.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ChriRuss\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wmich.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.4:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.hpsvikings.org;10.162.1.1;10.162.1.2;<local>
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124219545770
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara....301470OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124282877768
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.si...cherControl.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NOD32 Control Center Service (NOD32ControlCenter) - Unknown owner - C:\WINDOWS\System32\nod32cc.exe" -service (file missing)
O23 - Service: NOD32 Service (NOD32Service) - Unknown owner - C:\WINDOWS\System32\nod32m2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Novell ZFD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZFD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

#19
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Your log looks fine.

Do you have any issues with your PC ?? If not then we can fine tune your PC to get optimal performance
  • 0

#20
russell146

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
My ISP has been down, so I haven't been able to reply.

My computer is running fine. One big issue I'd like to fix is that when I turn my computer on, the desktop is a blue page, then in the middle of the page is a black bas with the following written inside it - (in red it says:) YOUR SYSTEM IS INFECTED! (in smaller letters and in wite:) System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommeded to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed.

By the way - yes, the word is spelled "recommeded" in the box.

The computer will not let me change the look of the desktop. Won't let me change the color scheme or anything.

I would really like to get rid of this. If you have any ideas that will help, please let me know!

Thanks
  • 0

#21
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.



Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the contents of the smitfiles.txt log by using Add Reply.

Let us know if any problems persist.
  • 0

#22
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP