TechSpot

Problem with 4 new icons

By publiccovert
Sep 4, 2010
  1. ok, so here is the problem... (I have win XD pro)
    while doing research on google, i was prompted to install a chinese language pack. i did not, primarily because i was reading the site in english. as soon as i closed the box, it reopened. this happened several times until i checked the "do not ask me again" box. then my IE crashed.
    going to my desktop, i found my IE icon was gone, but another was in a diffrent spot labled "Intennet Exploner" and below that was 3 iconswith very a confusing language (Im assuming its my pc trying to figgure out simplified chinese). when i right click these icons, i get nothing but squares. if i highlight it and hit the del key, it says it cannot delete becaue it isin use by another person or program.
    I tried to restart my pc, no luck.
    so i removed my zip drive and moved to my laptop (What im using now)
    when i connected to the laptop, i accessed the internet (Wich is much slower but better protected due to the sensitive files on it) i recieved the SAME THING! INSTANTLY! i hadn't gone anywhere except the google homepage and im assuming they came over on the zip drive.

    so...... i need help in terms for a complete *****. im not that tech savvy (savvy on many things, but my tech knowlage stopped with win98) I need to know how to delete these files (there is also one in my favorates list in IE that wont delete either) and how not to loose all my information.

    Please help.
    Publiccovert

    Update: now i have 2 new problems stemming from this. my system restore does nothing, because i tried it on my first computer. so i put in my xd disk and was trying somehow to get sys restore to work. nothing doin. so i rebooted. IT TRIED TO INSTALL WINDOWS AGAIN. now when i start my pc, it asks me which version of windows i want to use. the one on top is the new version (which does not run correctly and ho no programs at all) and the bottom takes me back to my usual page, where i STILL have those 4 desktop icons. so now i REALLY need help. how do i get back to having just 1 windows? and again, how do i get rid of those stupid icons?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I can't help you until I see something to work with. You will need to determine what the icons are for to remove them.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. publiccovert

    publiccovert TS Rookie Topic Starter

    ah, i feel like a fool that i didn't see that before.
    sorry, ill edit this post with the results onec im done.
    Do i need to do this on both computers?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem. But don't edit the post to leave the logs because I don't get notified of a reply when it's an edit. Just make a new reply and paste the logs in the new reply. Okay to use another post if all logs won't fit in to one.

    We will work on one computer at a time so make sure all the information in this thread is for the same computer.

    I will emphasize though that once you run these programs and leave the logs that it is very important you follow my last sentence in red.
     
  5. publiccovert

    publiccovert TS Rookie Topic Starter

    Ok, i cant get these logs to post (they are way too long) and so i just posted the files.

    in summary, the anti-malware software took out the icons, links and programs lists that had appered, (which totaled 11 by then).
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your system is badly infected with:
    (Worm.AutoRun)
    (Rootkit.Agent)
    (Security.Hijack
    (Trojan.Hiloti.Gen)
    (Risk.HiddenExt)
    (Disabled.SecurityCenter)
    (Spyware.OnlineGames)

    and something questionable from: C:\Program Files\KWMUSIC\kwmusic.exe

    Since you attached the logs I asked you to paste in the reply, it will take me much longer to identify any entries because I now have to copy and paste each one in to search instead of doing it through my browser.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply. Split if needed.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==============================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Paste Combofix report in the next reply. Split it over however many posts you need.

    I'll check back some time tomorrow.
     
  7. publiccovert

    publiccovert TS Rookie Topic Starter

    ComboFix 10-09-04.05 - Administrator 09/04/2010 22:36:10.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.293 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\Application Data\f.exe
    c:\documents and settings\Administrator\autorun.inf
    c:\documents and settings\Administrator\Local Settings\Application Data\{7911E508-BB57-4668-A740-F8F6B8E7BD9E}
    c:\documents and settings\Administrator\Local Settings\Application Data\{7911E508-BB57-4668-A740-F8F6B8E7BD9E}\chrome.manifest
    c:\documents and settings\Administrator\Local Settings\Application Data\{7911E508-BB57-4668-A740-F8F6B8E7BD9E}\chrome\content\_cfg.js
    c:\documents and settings\Administrator\Local Settings\Application Data\{7911E508-BB57-4668-A740-F8F6B8E7BD9E}\chrome\content\overlay.xul
    c:\documents and settings\Administrator\Local Settings\Application Data\{7911E508-BB57-4668-A740-F8F6B8E7BD9E}\install.rdf
    C:\MFILES
    c:\program files\qcat
    c:\program files\qcat\qcat.ini
    c:\program files\qcat\qsetup.exe
    c:\program files\qcat\tmpdata\Excel.lnk
    c:\program files\qcat\tmpdata\Intennet Exploner.lnk
    c:\program files\qcat\tmpdata\Launch Internet Explorer Browser.lnk
    c:\program files\qcat\tmpdata\Microsoft Update.lnk
    c:\program files\qcat\tmpdata\MySpaceIM.lnk
    c:\program files\qcat\tmpdata\Paint.lnk
    c:\program files\qcat\tmpdata\Play Star Wars Galactic Battlegrounds - Clone Campaigns.lnk
    c:\program files\qcat\tmpdata\PowerPoint.lnk
    c:\program files\qcat\tmpdata\Set Program Access and Defaults.lnk
    c:\program files\qcat\tmpdata\Skype.lnk
    c:\program files\qcat\tmpdata\Solitaire.lnk
    c:\program files\qcat\tmpdata\Spider Solitaire.lnk
    c:\program files\qcat\tmpdata\Windows Media Player.lnk
    c:\program files\qcat\tmpdata\Word.lnk
    c:\program files\qcat\tmpdata\Yahoo! Messenger.lnk
    c:\program files\WinPCap
    c:\program files\WinPCap\Accessibility Wizard.lnk
    c:\program files\WinPCap\Address Book.lnk
    c:\program files\WinPCap\Backup.lnk
    c:\program files\WinPCap\Calculator.lnk
    c:\program files\WinPCap\Character Map.lnk
    c:\program files\WinPCap\Command Prompt.lnk
    c:\program files\WinPCap\Config.ini
    c:\program files\WinPCap\Data Sources (ODBC).lnk
    c:\program files\WinPCap\Disk Cleanup.lnk
    c:\program files\WinPCap\DLS Loader.lnk
    c:\program files\WinPCap\Excel.lnk
    c:\program files\WinPCap\Files and Settings Transfer Wizard.lnk
    c:\program files\WinPCap\Freecell.lnk
    c:\program files\WinPCap\Hearts.lnk
    c:\program files\WinPCap\HyperTerminal.lnk
    c:\program files\WinPCap\Internet Backgammon.lnk
    c:\program files\WinPCap\Internet Checkers.lnk
    c:\program files\WinPCap\Internet Hearts.lnk
    c:\program files\WinPCap\Internet Reversi.lnk
    c:\program files\WinPCap\Internet Spades.lnk
    c:\program files\WinPCap\Magnifier.lnk
    c:\program files\WinPCap\Media Player Classic.lnk
    c:\program files\WinPCap\Microsoft Update.lnk
    c:\program files\WinPCap\Minesweeper.lnk
    c:\program files\WinPCap\MySpaceIM (Diagnostic Mode).lnk
    c:\program files\WinPCap\MySpaceIM.lnk
    c:\program files\WinPCap\Narrator.lnk
    c:\program files\WinPCap\Network Connections.lnk
    c:\program files\WinPCap\Network Setup Wizard.lnk
    c:\program files\WinPCap\New Connection Wizard.lnk
    c:\program files\WinPCap\Notepad.lnk
    c:\program files\WinPCap\On-Screen Keyboard.lnk
    c:\program files\WinPCap\OpenOffice.org 2.0.lnk
    c:\program files\WinPCap\OpenOffice.org Base.lnk
    c:\program files\WinPCap\OpenOffice.org Draw.lnk
    c:\program files\WinPCap\OpenOffice.org Math.lnk
    c:\program files\WinPCap\Outlook Express.lnk
    c:\program files\WinPCap\Paint.lnk
    c:\program files\WinPCap\Pinball.lnk
    c:\program files\WinPCap\Play Star Wars Galactic Battlegrounds - Clone Campaigns.lnk
    c:\program files\WinPCap\Play Star Wars Galactic Battlegrounds.lnk
    c:\program files\WinPCap\PowerPoint.lnk
    c:\program files\WinPCap\QuickTime.lnk
    c:\program files\WinPCap\RealMedia.lnk
    c:\program files\WinPCap\Remote Assistance.lnk
    c:\program files\WinPCap\Remote Desktop Connection.lnk
    c:\program files\WinPCap\Scheduled Tasks.lnk
    c:\program files\WinPCap\Set Program Access and Defaults.lnk
    c:\program files\WinPCap\Skype.lnk
    c:\program files\WinPCap\Solitaire.lnk
    c:\program files\WinPCap\Sound Recorder.lnk
    c:\program files\WinPCap\SoundMAX Control Panel.lnk
    c:\program files\WinPCap\Spider Solitaire.lnk
    c:\program files\WinPCap\Synchronize.lnk
    c:\program files\WinPCap\System Information.lnk
    c:\program files\WinPCap\System Restore.lnk
    c:\program files\WinPCap\The Conquerors - MFill.lnk
    c:\program files\WinPCap\The Conquerors - MSync.lnk
    c:\program files\WinPCap\The Conquerors - NoMusic.lnk
    c:\program files\WinPCap\The Conquerors - NormalMouse.lnk
    c:\program files\WinPCap\The Conquerors - NoSC.lnk
    c:\program files\WinPCap\The Conquerors - NoSound.lnk
    c:\program files\WinPCap\The Conquerors - NoStartup.lnk
    c:\program files\WinPCap\The Conquerors - NoTerrainSound.lnk
    c:\program files\WinPCap\Tour Windows XP.lnk
    c:\program files\WinPCap\Uninstall QuickTime Alternative.lnk
    c:\program files\WinPCap\Uninstall Real Alternative.lnk
    c:\program files\WinPCap\Uninstall.lnk
    c:\program files\WinPCap\Utility Manager.lnk
    c:\program files\WinPCap\Volume Control.lnk
    c:\program files\WinPCap\Windows Explorer.lnk
    c:\program files\WinPCap\Windows Media Player.lnk
    c:\program files\WinPCap\Windows Movie Maker.lnk
    c:\program files\WinPCap\Wireless Network Setup Wizard.lnk
    c:\program files\WinPCap\Word.lnk
    c:\program files\WinPCap\WordPad.lnk
    c:\program files\WinPCap\Yahoo! Messenger.lnk
    c:\windows\apalaguzeyaweb.dll
    c:\windows\system32\201094014418.dll
    c:\windows\system32\201094110627.dll
     
  8. publiccovert

    publiccovert TS Rookie Topic Starter

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_DOGKILLER


    ((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
    .

    2010-09-04 19:04 . 2005-06-06 14:29 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
    2010-09-04 17:16 . 2010-09-04 17:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2010-09-04 16:55 . 2010-09-04 18:07 -------- d-----w- c:\windows\system32\CatRoot_bak
    2010-09-04 16:45 . 2010-09-04 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-09-04 16:45 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-04 16:45 . 2010-09-04 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-04 16:45 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-04 16:45 . 2010-09-04 16:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-04 15:41 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-09-04 15:40 . 2010-09-04 15:40 21 ----a-w- c:\windows\system32\mylk.dat
    2010-09-04 15:31 . 2010-09-04 15:52 28 ----a-w- c:\windows\system32\prntvpt.vbs
    2010-09-04 15:30 . 2010-09-04 16:34 -------- d-----w- c:\windows\system32\NtmsData
    2010-09-04 15:26 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-09-04 15:26 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-09-04 15:26 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-09-04 15:26 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-09-04 15:26 . 2010-09-04 15:26 -------- d-----w- c:\program files\Avira
    2010-09-04 15:26 . 2010-09-04 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-09-04 15:20 . 2010-09-04 15:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY.users
    2010-09-04 15:20 . 2010-09-04 15:20 -------- d-----w- c:\program files\SogouInput
    2010-09-04 15:20 . 2010-09-04 15:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY
    2010-09-04 15:20 . 2010-09-04 15:20 -------- d-----w- c:\program files\SogouExtension
    2010-09-04 15:19 . 2010-09-04 15:19 -------- d-----w- C:\KwDownload
    2010-09-04 15:19 . 2010-09-05 02:30 -------- d-----w- c:\program files\KWMUSIC
    2010-09-04 15:08 . 2010-09-04 15:08 189440 ----a-w- c:\program files\Common Files\Storm_new.exe
    2010-09-04 08:19 . 2010-09-04 08:19 -------- d-----w- C:\safemon
    2010-09-04 08:03 . 2010-09-04 08:04 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS.0\DRM
    2010-09-04 05:46 . 2010-09-04 15:38 189440 ----a-w- c:\program files\Common Files\Storm_new.scr
    2010-09-04 05:43 . 2010-09-04 17:03 -------- d-----w- c:\program files\ATI
    2010-09-04 03:11 . 2010-09-04 08:07 -------- d--h--w- c:\documents and settings\Default User.WINDOWS.0
    2010-09-04 03:11 . 2010-09-04 08:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0
    2010-09-04 02:54 . 2010-09-05 02:43 -------- d-----w- C:\WINDOWS.0
    2010-09-01 06:23 . 2010-09-01 06:23 -------- d-----w- c:\windows\system32\LogFiles
    2010-08-29 01:14 . 2010-09-03 02:24 7631232 ----a-w- c:\documents and settings\Administrator\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.823.0-static-A.exe
    2010-08-29 00:13 . 2010-09-05 01:40 120 ----a-w- c:\windows\Vcowejarivewav.dat
    2010-08-29 00:13 . 2010-09-04 04:05 0 ----a-w- c:\windows\Mzonah.bin
    2010-08-28 05:39 . 2010-08-28 05:39 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2010-08-28 05:39 . 2010-09-04 20:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
    2010-08-28 05:38 . 2010-09-05 02:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
    2010-08-28 05:38 . 2010-08-28 05:38 -------- d-----w- c:\program files\Common Files\Skype
    2010-08-28 05:38 . 2010-08-28 05:38 -------- d-----r- c:\program files\Skype
    2010-08-28 05:37 . 2010-08-28 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-08-28 05:36 . 2010-09-05 01:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
    2010-08-28 05:19 . 2000-06-22 17:09 56320 ----a-w- c:\windows\system32\iyvu9_32.dll
    2010-08-28 05:19 . 2000-06-23 18:05 136704 ----a-w- c:\windows\system32\iacenc.dll
    2010-08-28 05:15 . 2010-08-28 05:15 -------- d-----w- c:\program files\LucasArts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-04 08:07 . 2009-06-29 06:15 -------- d-----w- c:\program files\Real Alternative
    2010-09-04 08:06 . 2010-09-04 08:15 -------- d-----w- c:\documents and settings\Administrator.HPQ\Application Data\AVG7
    2010-09-04 08:06 . 2009-06-29 06:14 -------- d-----w- c:\program files\QuickTime Alternative
    2010-09-04 06:13 . 2009-07-12 01:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
    2010-09-04 04:16 . 2010-04-03 22:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
    2010-08-29 01:14 . 2009-07-12 00:08 14304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-28 05:15 . 2009-07-08 20:07 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-08-28 03:00 . 2009-07-24 06:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
    2010-07-29 16:00 . 2010-07-30 01:14 282624 ----a-w- c:\windows\qqlogin.dll
    .
     
  9. publiccovert

    publiccovert TS Rookie Topic Starter

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
    "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
    "DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 136600]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
    Ime File REG_SZ SOGOUPY.IME

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Documents and Settings\\Administrator\\Desktop\\Age of Empires II\\age2_x1.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"=
    "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\KWMUSIC\\KwMusic.exe"=
    "c:\\Program Files\\KWMUSIC\\KwMV.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/4/2010 11:26 AM 135336]
    S2 Wida;Wida;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Wida
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-04 c:\windows\Tasks\SogouImeMgr.job
    - c:\progra~1\SOGOUI~1\501~1.419\SGTool.exe [2010-06-28 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.google.com
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Tqipukogib - c:\windows\apalaguzeyaweb.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-04 22:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-04 22:58:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-05 02:58

    Pre-Run: 32,018,100,224 bytes free
    Post-Run: 31,906,512,896 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - F1D5F2D128C2E4743A5B7F053CDDD698
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you. You may be infected with the Sality Virus. IF that proves to be the case, I will recommend a reformat/reinstall.

    PleaseRun Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    The Eset log can be attached.
     
  11. publiccovert

    publiccovert TS Rookie Topic Starter

    ok, here's the log
     

    Attached Files:

  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, most of the entries are in the Qoobox which is where Combofix puts the quarantined files. I have been working on that log for a while to see if the system is salvageable.


    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      :Services
      :Reg
      
      :Files  
      C:\Program Files\Common Files\Storm_new.exe	
      C:\Program Files\Common Files\Storm_new.scr	
      C:\WINDOWS\qqlogin.dll	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===================================
    You need to Disable AutoRun:
    This will not block the vulnerability, however. It will reduce the vulnerability a bit. Please see Microsoft Support article 967715 for more details. http://support.microsoft.com/kb/967715
    You will have to determine if you have the requisite updates first.

    After you have disabled AuroRun, please reboot the computer and rescan with the Eset online scanner.
     
  13. publiccovert

    publiccovert TS Rookie Topic Starter

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Program Files\Common Files\Storm_new.exe moved successfully.
    C:\Program Files\Common Files\Storm_new.scr moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\qqlogin.dll
    C:\WINDOWS\qqlogin.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 112003799 bytes
    ->Temporary Internet Files folder emptied: 6328897 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 2666905 bytes
    ->Flash cache emptied: 3302 bytes

    User: Administrator.HPQ
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: All Users.WINDOWS.0

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User.WINDOWS.0
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 33783030 bytes

    Total Files Cleaned = 148.00 mb


    OTM by OldTimer - Version 3.1.15.0 log created on 09052010_233249

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

     
  15. publiccovert

    publiccovert TS Rookie Topic Starter

    sorry, did not have enough time.
     

    Attached Files:

    • log.txt
      File size:
      6.9 KB
      Views:
      1
  16. publiccovert

    publiccovert TS Rookie Topic Starter

    ok, whilst you are working on this, i have to ask you a question, would this virus.....or whatever the F it is... could it have infected just ONE peticular powerpoint or word file? and if so, could it have been programmed to unleash at a peticular date? and my big question, if that ONE file is what is infected, could i open it and copy and paste the text to another file without copying the virus?

    the reason i ask is that i accesed another pc in my house, not the first one and not the laptop. this pc has no access to the internet and has not been in direct or internet connection with the other two and.....FRICKIN CHINESE ICONS!!! only this computer has the language softwhere already installed and i can read the titles of the icons....

    links to chinese online stores, importation dealers and...you guessed it....porn.

    sorry, but this is really starting to P me off. i honestly think it has infected the 1 file that i cannot replace and have been working on for almost a full year, and the third computer is just not able to be lost at all. (it may help to know that it has a second hard drive and over 250gigs of important data, so im hoping i can just disconnect that and it'll still be ok).


    PS: I really appreciate your help and expertiese. this has been really tiring
     
  17. publiccovert

    publiccovert TS Rookie Topic Starter

    something new, i disconected a flash drive from my laptop and all the icons went away! could it be that fricking little piece of $#!+ screwing up my pc?
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your flash drive could have been the source of some of the infections. We can disinfect that.

    You have 3 new infections- one is another autorun. Did you disable the autoruns?
    Win32/AutoRun.Delf.HK worm
    Win32/StartPage.NSJ trojan
    Win32/HideProc.NAF trojan


    I strongly recommend you stop using the Administor account.. Please read the information here about UAC: http://support.microsoft.com/kb/922708

    I am also going to recommend that you reformat/reinstall:
    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
     
  19. publiccovert

    publiccovert TS Rookie Topic Starter

    yea, i disable the autorun per the instructions, and i can tell ya, it takes a while to get used to not immieditly working with a disc or drive that was inserted. lol.
    how can we disinfect the flash drive?
    what other account should i use? that link didnt say much, being for vista and all. i found the xp equivilant, but am still confused.
    and any ideas how to back up the important stuff on my harddrive before the reformat/reinstall without getting the virus?
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Autorun worms spread from USB/thumb drives as well as fixed and mapped drives. Autorun worms typically drop or download additional malware, usually backdoors and password stealers. this will give you additional information about Autorun: http://antivirus.about.com/od/securitytips/a/autorunfaqs.htm

    Flash Drive Disinfector:
    Threat Removal Procedure:

    • [1]. Download Flash_Disinfector and save it to your Desktop.
      [2]. After downloading, double-click on Flash_Disinfector to run it.
      [3]. Just follow the prompts and continue until it begin scanning.
      [​IMG]
      [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
      [5]. It will scan removable drives, wait for the scan to finish. Done.

    And the big question:
    The time to backup is before an infection. At this point, you do not know which files have been infected. If you back up and want to put back on the system when clean, you will need to scan the files with the AV program first.

    You will find an excellent write up by jobeard regarding the account here: http://www.tech-101.com/system-security/46-security-101-2a-lua-vs-admin-accounts.html
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Due to inactivity, this thread is being closed. Please send a PM to your helper if you need it reopened.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...