Malware, Possible Trojan logs attached
- Thread starter Jacal
- Start date
- Status
kitty500cat
Posts: 1,391 +6
Your system is infected with malware.
Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.
If you decide to clean your system after reading the above thread, do the following.
Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.
Regards
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.
If you decide to clean your system after reading the above thread, do the following.
Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.
Regards
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
kitty500cat
Posts: 1,391 +6
OK, but please post an AVG Antispyware log.
Regards
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
Regards
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
kitty500cat
Posts: 1,391 +6
Run HijackThis with no other programs open. Place a tick in the little boxes next to the following entries (if there):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Search - [http]edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm014YYJM
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - [http]www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - [http]update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
Click the Fix Checked button.
Go into Add/Remove Programs in your Control Panel and remove anything having to do with VideoEgg, MyWebSearch, or FunWebProducts.
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Do the following yet.
Please visit http://virusscan.jotti.org/
Enter the following in to the text box at the top of the page
C:\WINDOWS\Matrix Code.exe
Click Submit.
Do the same with the following two files, one at a time:
C:\WINDOWS\matrix code.scr
C:\WINDOWS\mickey32.dll.
Please post fresh HijackThis, ComboFix and AVG Antispyware logs, as well as the Avenger log (located at C:\avenger.txt). Also post here the results of the Jotti virus scan.
Regards
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Search - [http]edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm014YYJM
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - [http]www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - [http]update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
Click the Fix Checked button.
Go into Add/Remove Programs in your Control Panel and remove anything having to do with VideoEgg, MyWebSearch, or FunWebProducts.
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Do the following yet.
Please visit http://virusscan.jotti.org/
Enter the following in to the text box at the top of the page
C:\WINDOWS\Matrix Code.exe
Click Submit.
Do the same with the following two files, one at a time:
C:\WINDOWS\matrix code.scr
C:\WINDOWS\mickey32.dll.
Please post fresh HijackThis, ComboFix and AVG Antispyware logs, as well as the Avenger log (located at C:\avenger.txt). Also post here the results of the Jotti virus scan.
Regards
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
kitty500cat
Posts: 1,391 +6
Have HJT fix the following entries (if there):
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
Now run The Avenger again as per the instructions, but use the script file attached to this post instead.
The attached script is only for this user. If you are not this user, do NOT follow the instructions as they could damage your system.
Regards
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
Now run The Avenger again as per the instructions, but use the script file attached to this post instead.
The attached script is only for this user. If you are not this user, do NOT follow the instructions as they could damage your system.
Regards
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
howard_hopkinso
Posts: 21,238 +17
Your HJT log is clean.
Delete this bold folder.
C:\DOCUME~1\DIVERS~1\APPLIC~1\FunWebProducts
Other than that, your system looks ok.
If you`re still having problems, post fresh Combofix and HJT log.
Regards Howard
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Delete this bold folder.
C:\DOCUME~1\DIVERS~1\APPLIC~1\FunWebProducts
Other than that, your system looks ok.
If you`re still having problems, post fresh Combofix and HJT log.
Regards Howard
This thread is for the use of Jacal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
