Virus problem.

[andy17null]

Same problem

I have the same problem as the OP, some help would be appreciated. I have downloaded and run Tool 1, but not deleted files yet. I have downloaded Tool 2, but I cannot download Tool 3; it redirects me to a site about the HTTP protocol. Attached are my HijackThis log and my SmitFraudFix log. Thanks for any help,

Isaac

 

[howard_hopkinso]

Hello and welcome to Techspot.

I have moved your post to it`s own thread. This is because we need every HJT thread to be on it`s own, so as not to cause confusion.

Go, download and run these three tools. Read the instruction for using each tool carefully.

Tool1. Tool2. Tool3.

Post a fresh HJT log into this thread, only after doing the above.

Regards Howard :wave: :wave:

 

[andy17null]

Thanks, Howard. The ismon and ishost processes appear not to be running anymore, but there was still a suspicious process called update.exe. Attached are my HJT log, my SmitFraudFix log [rapport.txt], my Look2Me-Destroyer log, and my VirtumundoBeGone log.

I downloaded and am running Ewido as well, but it's taking forever. I'll post my new HJT log tomorrow morning after the scan finishes and cleans any detected malware.

Is it possible that lsass.exe could be infected? My firewall caught it trying to access the internet.


-Isaac



*edit* Can you please delete the above post, I would but I'm not sure how to do it with vBulletin, sorry.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {173E4D2C-75E0-456C-B490-74B97B298F16} - (no file)

O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)

O4 - Startup: Azureus.lnk = D:\Program Files\Azureus\Azureus.exe

O20 - Winlogon Notify: efeff - D:\WINDOWS\

O20 - Winlogon Notify: winwam32 - winwam32.dll (file missing)

Click on the fix checked button.

Close HJT.

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log and let us know how your system is running.


Regards Howard

 

[andy17null]

I booted into safe mode and ran HJT. I don't have system restore installed on this computer at all, it's a slipstreamed nLite install. I did delete the above files in HJT, except for Azureus which I had intentionally placed in the Startup folder. After I deleted the files I immediately ran HJT again, and the scan came up clean, without any of the files I had just deleted.

When I booted into regular Windows, I ran a third scan, and three of the the offending files have reappeared in the HJT list. Furthermore, O20 - Winlogon Notify: winwam32 - winwam32.dll no longer has the (file missing) qualifier. Attached is the complete log.

 

[sw123]

Your log is clean(I think) I see no problems with it.

 

[howard_hopkinso]

Download the pocket killbox programme from HERE. Extract it, but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O20 - Winlogon Notify: efeff - D:\WINDOWS\ I can`t see any file details for this entry.

O20 - Winlogon Notify: winwam32 - D:\WINDOWS\ I can`t see any file details for this entry.

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

Type the full path to the winwam32.dll file. I don`t know the full path cause it`s not showing up in your HJT log.

Also the other 020 entry is of concern. Can you find the full path to whatever file it is?

Once your system has rebooted, let us know how your system is running.

Regards Howard

 

[andy17null]

I searched for "efeff" and "winwam32" using the regular windows search, with hidden files and folders turned on. No results were found for either, and so far my system has been running smoothly. Since there's nothing to delete with Killbox that I can find, I'm going to assume I'm clean until I experience problems. Thanks a ton for your help, you guys are by far the most helpful security site I've come across.

*edit* Just realized - The reason the two values still were in the list is that TeaTimer had prevented the registry keys from being deleted. I must have accidentally clicked "No, don't allow this change." for each one. After having HJT delete the keys a second time, TeaTimer popped up again and this time I did delete them. Now they no longer show up in HJT. Thanks again for the help!

 

[howard_hopkinso]

That`s good to know and thanks for your kind words.

If you have any further spyware/virus problems, please post in this thread.

Regards Howard

This thread is for the use of andy17null only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.