Wish I didn't have to come back...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TheGarnisher, Jan 18, 2007.

  1. TheGarnisher

    TheGarnisher Private E-2

    Well I'm not sure where I went wrong as I had my firewall up, my spyware software working etc... but I got infected with Trojans again similar to last time. I've done the read and run me first. Files are attached.

    I obviously need to learn how to protect my computer better.
     

    Attached Files:

    TheGarnisher, Jan 18, 2007
    #1
  2. TheGarnisher

    TheGarnisher Private E-2

    other files
     

    Attached Files:

    TheGarnisher, Jan 18, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    • Please attach the log from AVG Anti-Spyware as requested. Make sure that you had it fix everything. If you did not fix (i.e, quarantine or delete) the problems, run the scan again and fix everything.
    • Also you are way out of date with your versions of GetRunKey and ShowNew. As specified in the READ & RUN ME you must also check that you are using updated copies of ALL programs. Please download the current versions of these now. Do not attach new logs yet! I will ask for them further down.
    • Also make sure ALL of your other tools have been updated (like Spybot for one example and make sure to re-immunize everytime you update).
    You have a ton of trojans installed. It looks to me like you have to be more careful where you surf, what you click on, and what you download.


    Download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    Make ABSOLUTELY sure that you only stop, disable and delete EXACTLY what I give below. You will see other similarly named services with the words Remote Procedure Call in them that are valid. You must only stop, disable and delete the exact names I give below!.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to GrayPigeonfdServe
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • Remote Procedure Call System(RPCS)
      • Remote Procedure Call System(RPCSo)
      • Windows Management Instrumentation Driver
    • Click OK until you get back to Windows
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste GrayPigeonServ into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • Rpcsc
      • RpcSo
      • WMID
    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O1 - Hosts: 222.208.183.175 www.kirinkwy.com.cn
    O1 - Hosts: 222.208.183.175 3707229.sx.5151j.net
    O1 - Hosts: 222.208.183.175 www.7282214.cn
    O1 - Hosts: 222.208.183.175 www.wg77169.cn
    O1 - Hosts: 222.208.183.175 www.233049.com
    O1 - Hosts: 222.208.183.175 sou2.m369m.com
    O1 - Hosts: 222.208.183.175 sou3.m369m.com
    O1 - Hosts: 222.208.183.175 www.79793.com
    O1 - Hosts: 222.208.183.175 goujiao.e34.163ns.com
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wsvbs] C:\WINDOWS\wsvbs.exe
    O4 - HKLM\..\Run: [rq72xueqy] C:\WINDOWS\alga.exe
    O4 - HKLM\..\Run: [tpxhst32.exe] C:\WINDOWS\system32\tpxhst32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [zyk0gytr1g93v] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [zvtiwym] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [zv] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ztu4qmj365e] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [zlh6u6kx7i3] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [zht] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [zbsheh6e36] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [zb] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [z9rlzdq8deb] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [z9crijssx] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [z5rx2yvh82mzc3m] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ys6lrkbq] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ylwuzjes0ycf9f0] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ygwg1] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [yd451s3glhjb941] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [y9ebtzd] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [y99gvw91bv] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [y019y1vxb7edt] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [y] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [xx6z8mje] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [xwkcq0d32mev] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [xv7dcsjbs4y] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [xthlsfuycduh] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [xlrj] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [xi6zej2zh] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [xdu9r2y] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [wwhblq5u] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [wrb8yic5i] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [wr] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [w9i] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [w87zylv04] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [w2z] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [vsl1j] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [vmdq] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [uz3] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [uwlcch7b7se10] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [uq7] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [um4df0kled2] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [uf44f9myc10stb] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [u9sbl] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [u82j] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [tw] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [tvv4hs0e369tv6] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [tudxheie6] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [tsflt8cr44zlbbs] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [tilzvjhmdexdvv] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [tfs8lhdutlm90y] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [tbibgy1] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [t9] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [t1h1kqd93jkg2zj] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [t0rffugkrqbwb6k] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [su2cl7ek1] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ss82g635r] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [sch0i] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [rw7z2iydc2v] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [RealUpdate] C:\DOCUME~1\Regina\LOCALS~1\Temp\Update.exe
    O4 - HKCU\..\Run: [rcg20v0] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [r6r6638m7dfkh] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [qrg9b8bkb3] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [qlj2bi] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [qjchxs] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [mxkgqyeyr5k5] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [mw27gtcyv] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ml857u6r] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [mf5ifubs] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [mey26xulybhhy] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [m8itg99lr8e] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [m] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [lzr4qmdvwgli] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [lyci5rcwd] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [lh6ij6i6y] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [lgvwd4ixrrxz] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [l5bk6mhhgjl] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [kic9qe5] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [khdxuwwvtf4] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ked8h] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [kdlwku6y6b] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [kchkc9vhz07yee] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [k9z9] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [k8s2th5ws] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [k4xqswdri] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [jrh5ll80] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [jmyrydm0q] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [jfk] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [j5hjf1r1ki70] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [j] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [isk84] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ic] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [i9ucuks9wdu] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [hxxiv74zg] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [hx] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [hvhuw2xzhmb] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [hrlk6msxg7hfk85] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [hkyrqexwtbrqc1] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [hjw3803] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [h8y1i] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [h] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [gsmvuc95tjmysk] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [gs6yqb1ri] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [gs] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [gis64h] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [gdixvqbzy] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [g] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [fq0e0] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [fbygtv] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [f650d2] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [f5jwjbuws1] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ev2] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ed0] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [e9hkcrimyrgvk] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [dz8xh96wt7gvgb] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [dxsc] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [dsv2jjwd] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [dj] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [dg5wy3fe] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [de] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ddur56kst] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [dc43u19ewjv] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [d5mw2l] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [cziklx1smjhtbw] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [cyhhe214xj] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [cr82411usdxs3b] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [cqd1vk5h5] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [ckb5vebd4v91txq] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [cigv6g72] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [cfwbm1] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [c91] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [c514jhbjw2r6c] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [b87g5cl4j] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [b27s9ex1q60tqhi] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [9vlrx15g] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [9qf4x35k3gx5] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [9fq9yb1xb5s20u3] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [97xug8d4mt] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [968ru2xdjlfjyf] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [9] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [8v63e1h9sulr] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [8ul] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [8lz42] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [86bf] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [83] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [7y3rqk7uq6zr51] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [7uwj73965z303hq] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [7urjs1] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [7te] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [7t534vx8fq] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [7scru77zxwr] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [7s8zudscxxk690] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [7m77kt9] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [79kjqhimue70] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [72fix1rih] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [703] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [6hxkx] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [6h1um1k] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [6brsi8f0rkvrm] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [5ybd3] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [5x] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [5w5yjw] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [5w40] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [5qdhse8w9] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [5kt1] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [4uwrfvc6k8ms6bs] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [4suc] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [4rh1iwvx] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [4m8xxdiv8] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [4bqfr15vb] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [4bj4u7yqt] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [4bek3951b45] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [3q0] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [3ci] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [38zk3] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [370hrm4gr0t8hb] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [33817dvh5] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [31f7z9s19k2] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [28jgb0xzzuch3u] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [1wlkek7sst] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [1ul] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [17z0] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [0vgei] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [0t8] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [0rck] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [0hdstt4qufvh] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [05jsq14] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [057379] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe
    O4 - HKCU\..\Run: [0] C:\DOCUME~1\Regina\LOCALS~1\Temp\expiorer.exe

    After clicking Fix, exit HJT.

    Now reboot in normal mode

    Delete the below files if found:
    C:\WINDOWS\wsvbs.exe
    C:\WINDOWS\alga.exe
    C:\WINDOWS\system32\tpxhst32.exe

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Regina\Local Settings\Temp


    Now uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2
    Mozilla Firefox (1.5.0.9)

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox


    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    chaslang, Jan 19, 2007
    #3
  4. TheGarnisher

    TheGarnisher Private E-2

    Sorry about older versions of software, I didn't realize they would have changed in only a couple months.

    Okay ran through the above but did run into some issue.

    First, I couldn't locate the following folder:

    C:\Documents and Settings\Regina\Local Settings\Temp

    Perhaps it was deleted after I ran one of the spyware tools, I don't know. I double checked to make sure I had files unhidden and noticed a weird issue there also. Whenever I check both radial buttons are highlighted at the same time. So it says both show hidden files and don't show them. This happens no matter how many times I click and apply to tell it to only show hidden files and folders.

    Other issues:
    GrayPigeonfdServe Found and disabled it in services.msc, but HJT didn't find it when I tried to delete it there... Found the others though.

    Java 2 Runtime Environment, SE v1.4.2
    Mozilla Firefox (1.5.0.9)

    Neither of these would uninstall. Got error messages on the Java and computer would freeze whenever I tried to remove Mozilla. In the end I just installed the new versions anyway and left the old ones in place.

    The old version of firefox no longer shows up in add/remove programs but the old version of Java is still there.

    New scans are posted below
     

    Attached Files:

    TheGarnisher, Jan 20, 2007
    #4
  5. TheGarnisher

    TheGarnisher Private E-2

    here's the AVG scan you wanted also...
     

    Attached Files:

    TheGarnisher, Jan 20, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The folder is there! Perhaps your malware problems are trying to block you from getting access to it since that is where it is all installed. I will give you a registry patch to try and correct your problems with Hidden files settings along with fixing some other issues. Try this:

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Is your copy of Spyware Doctor a paid version or free trial version?

    Your Filseclab firewall seems to have something disabled with MSconfig. Did you do this?

    In your first message you had a question about where you went wrong! How about the fact that you have no antivirus application installed???

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O20 - AppInit_DLLs: 235780M.BMP
    NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
    After clicking Fix, exit HJT.

    Now Boot into safe mode and delete any of the below files if found:
    C:\Program Files\Internet Explorer\IEXPLORE.bbs
    C:\Program Files\Internet Explorer\IEXPLORE.New
    C:\Program Files\Internet Explorer\IEXPLORE.win
    C:\Program Files\Internet Explorer\iexplore.jmp
    C:\Program Files\Internet Explorer\IEXPLORE.Dat.
    C:\WINDOWS\system32\twunk32.exe
    C:\WINDOWS\system32\svchost.dll
    C:\WINDOWS\system32\drivers\usbme.sys
    C:\WINDOWS\SP24521.exe

    Additional step to delete files in the Downloaded Program Files folder :
    - Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
    - Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s msgr.dll
    del msgr.dll
    exit

    Now reboot into normal mode and delete the below folder if found:
    C:\Program Files\1B57D346

    See if this Your Uninstaller! 2006 can uninstall Java 2 Runtime Environment, SE v1.4.2


    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Jan 21, 2007
    #6
  7. TheGarnisher

    TheGarnisher Private E-2

    OK, the reg edit seemed to do the trick in terms of fixing the hidden files problem.

    I own Spyware Doctor, however it's been running VERY slowly lately and really buggy so I'm wondering if it's been somehow screwed with.

    I have not "purposefully" disabled anything with regards to my firewall. I leave the door open for accidentally messing it up, but I did not disable anything with intent.

    In your list of things to delete once in safe mode, I only found the usbme item. None of the rest.

    When I went back to normal mode, it would not let me delete 1B57D346 because it said it was in use.
     

    Attached Files:

    TheGarnisher, Jan 21, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well part of it worked, but a couple of reg keys that should have been removed were not. They could be part of the malware.

    I suggest uninstalling it, rebooting (don't skip the reboot), then reinstalling. It does not appear to be installed properly right now.


    You missed this: C:\WINDOWS\SP24521.exe it is still there. See your newfiles.txt log. I will give you new steps below which will include deleting this.

    Please tell me what you see in this folder. I think it is part of the problems you are having and I think it is related to why certain registry keys are not deleting.

    You also appear to have Troj/Wlook-A which is information stealing Trojan (that includes being password stealer).

    You are strongly advised to do the following immediately:



    Let's delete some files using another method.

    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\SP24521.exe
    C:\WINDOWS\system32\drivers\npf.sys
    C:\WINDOWS\system32\msitinit.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!

    Remember to tell me what is in the C:\Program Files\1B57D346 folder

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jan 21, 2007
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds