Am I OK?

bottlewine · Feb 10, 2009

Hi,

My Antivir has been popping up with endless viruses/trojans daily.
I've performed your requested scans, and attached my log files.
Please let me know if all is OK now...

Thanks,
Bottlewine

bottlewine · Feb 10, 2009

Am I OK - last attachment

Here is the last attachment requested.
Thanks for your help.

TimW · Feb 11, 2009

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - AppInit_DLLs: qhnoah.dll
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now let's use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Dirlook::
c:\windows\system32\3361

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

Be sure to tell us how things are running.

bottlewine · Feb 11, 2009

Hi Tim,

The logs I sent in were for my laptop. This morning, the OS stopped booting. It didn't boot in safe mode either. Not having any important data on my laptop, I reinstalled Windows XP, and reformatted everything. That takes care of the laptop, I guess :confused

But I have another serious issue going on.

I also have a desktop computer that just went out a few days ago. I was deleting trojans and viruses with Avira, when my OS shut down, and did not boot up again. It didn't boot in safe mode either.

The data on this computer is important. This is what I have done so far:

A friend got the OS back up and running temporarily. I moved all my data to one drive, named SICKY. I physically took SICKY out of my computer. I reinstalled XP and reformatted the computer. I copied the data from SICKY into a linux machine for storage (for now). I reformatted SICKY and plugged it back into the computer. Everything in my computer should be clean now. But my question is this: How do I move all my data (from the linux machine) back into the computer without bringing all the potential malware back in??

I'm at a total loss. Please assist!

thanks,
Bottlewine

TimW · Feb 11, 2009

You need to post in the software forum for that issue (moving files from linux).

But I need to tell you that any usb devices you have plugged into these computers are infected.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d320a87-c684-11dc-9d18-00c09fad9b1b}]
\Shell\AutoRun\command - G:\1weicxa.com
\Shell\explore\Command - G:\1weicxa.com
\Shell\open\Command - G:\1weicxa.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{282d22a2-56ce-11dd-9da5-0012f0b1da4a}]
\Shell\AutoRun\command - G:\1weicxa.com
\Shell\explore\Command - G:\1weicxa.com
\Shell\open\Command - G:\1weicxa.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd518fda-b6ca-11dc-9d0c-00c09fad9b1b}]
\Shell\AutoRun\command - d.com
\Shell\explore\Command - d.com
\Shell\open\Command - d.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6184006-89a6-11dd-9dcc-0012f0b1da4a}]
\Shell\AutoRun\command - G:\1weicxa.com
\Shell\explore\Command - G:\1weicxa.com
\Shell\open\Command - G:\1weicxa.com

Since you have now reformatted the one machine. Please start a new thread for the other machine. You will need to plug in these devices when you run the scans. This is thumb drives, flash cards or cameras....

bottlewine · Feb 11, 2009

Hi Tim,

Thanks for your swift reply.
Once I move all my data back to my computer, I'll plug in all my USB keys and scan. If I don't find anything, should I perform the 4 logs again anyhow, just to be sure?

Thanks,
Bottlewine

TimW · Feb 12, 2009

I would suggest that you use a cd to transfer your data....then run all the scans again so we can be sure you are clean.

Log in or Sign up

Am I OK?

bottlewine Private E-2

Attached Files:

SASlog.txt

mbam.txt

ComboFix.txt

bottlewine Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

bottlewine Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

bottlewine Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member