Something Wicked....

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Styx_oz, Oct 27, 2005.

  1. Styx_oz

    Styx_oz Private E-2

    Good Morning, Afternoon or Evening

    I'm have a very technologically challenging week, the hard drive on my notepad retired hurt, and moving to the family desktop to do some work I discover that the desktop has been hijacked. Blue Screen, black square in the middle "Spyware Infection" message....

    Technical details:

    Windows XP Service Pack 2
    Intel Celereon
    997 MHz 512 MB RAM

    I went through the "Read and Run me First" thread.... this is what happened:

    Online Scanners:

    I ran all four, one after the other, they all picked up viruses. I saved the logs from Bitdefender and Panda, both attached. The Bitdefender one was in .html format, I copied and pasted it into notepad, hope this was the correct thing to do.

    I then rebooted in safe mode as per instructions and ran all of the cleaning tools. Ad-Aware SE found nothing, Spybot found a host of things (including some CoolWebSearch stuff), Microsoft Antispyware found one item, CWShredder found nothing, Kill2Me found nothing.

    When I rebooted into normal mode, still the horrid desktop, so I thought I'd go one step further and try Ewido Security Suite. This found and cleaned 232 objects! (But didn't get rid of the desktop problem)

    Before I run HJT, Should I now uninstall Ewido, or can it run in conjunction with AVG?

    Thanks in advance.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. Styx_oz

    Styx_oz Private E-2

    Thank you

    I followed the steps in the SpySheriff Removal thread as instructed. The only file that I found to delete was the C:\Documents and Settings\username\application data\install.dat .

    After completing the regedit instructions the desktop appears to be back to normal.

    HJT log attached.

    Do I need to uninstall ewido, or can it run along with AVG?

    Cheers
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can run Ewido with AVG. Ewido is a tool that compliments antivirus applications.

    You mage some more items to fix. Please note that one of the items I see remnants of may have been attempting to steal financial info from you. See this:

    http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.banker.b.html

    You may want to consider changing any passwords to financial related sites etc that you may have been accessing via your PC (just to be safe).

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
    O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\ocjjkegd.dll
    O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINDOWS\system32\bpdfklnb.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete
    :
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    C:\WINDOWS\system32\ocjjkegd.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  5. Styx_oz

    Styx_oz Private E-2

    Thanks again

    I will definitely have the internet banking passwords changed.

    Ran hijack this and fixed problems suggested. When I booted into safe mode, I found not only ibm00001.exe but also ibm00002.exe both created on same day at same time, so I deleted them both (hope this was right)

    Computer seems to be running fine, out of interest tho, I checked my banking website, when I clicked on the "login" screen the new browswer window that opened had an about:blank label for a few seconds before it changed into the one I would normally expect. (I didn't log in) Don't know if this means anything.

    Oh, and when I logged on in normal mode AVG didn't start-up. I opened it maually with no problems.

    new HJT log attached.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may want to uninstall AVG, then reboot, and then reinstall. Something may have gotten corrupted somewhere if it is not running at startup. Let me know what happens.

    There are no issues to worry about in your log now. Although as a personal opinion, I don't like any of these things:

    9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds