Several Viruses/Malware on Laptop

Discussion in 'Malware Help (A Specialist Will Reply)' started by Snape, Mar 18, 2006.

  1. Snape

    Snape Private E-2

    Hi all,
    I have read through the sticky which takes you through the detailed step by step procedure for scanning and disinfecting your computer, and have attached the results from Hijackthis (under normal operating mode), Bitdefender, and ActiveScan (taken under Safe mode as directed).
    My laptop has been running extremely slow, even for simple tasks. It's agonising. I have AVG, Adaware, CCleaner, Spybot, SpywareBlaster, SuperAdBlocker, and Windows Malicious Software Removal Tool installed. AVG runs but locks up halfway through. Adaware does not detect anything, but the attached logs certainly show I have a problem.
    I have just installed Zone Alarm on my computer for extra protection.
    Any idea where I need to go from here?

    Kind regards,
    S
     

    Attached Files:

    Snape, Mar 18, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Empty your Super Ad Blocker\Quarantine folder!

    Also cleanup your email folders. The below stuff was detected by Panda and you must remove them manually:

    Code:
     
Virus:W32/Mugly.L.worm Not disinfected C:\Documents and Settings\Jiggles\Application Data\Thunderbird\Profiles\28y2nnrp.default\Mail\Local Folders\Inbox[IMG_001.scr]
Virus:Trj/Mitglieder.DC!CME-766 Not disinfected C:\Documents and Settings\Jiggles\Application Data\Thunderbird\Profiles\28y2nnrp.default\Mail\Local Folders\Inbox[19_04_2005.exe]
 
Virus:Trj/Mitglieder.DQ Not disinfected C:\Documents and Settings\Jiggles\Application Data\Thunderbird\Profiles\28y2nnrp.default\Mail\Local Folders\Inbox[f5434.exe]
Virus:W32/Bagle.DX.worm Not disinfected C:\Documents and Settings\Jiggles\Application Data\Thunderbird\Profiles\28y2nnrp.default\Mail\Local Folders\Inbox[Taxes.exe]
 
Virus:Trj/Mitglieder.DC!CME-766 Not disinfected C:\Documents and Settings\Jiggles\Application Data\Thunderbird\Profiles\28y2nnrp.default\Mail\Local Folders\Junk[19_04_2005.exe] 
 
Virus:W32/Bagle.DX.worm Not disinfected C:\Documents and Settings\Jiggles\Application Data\Thunderbird\Profiles\28y2nnrp.default\Mail\Local Folders\Junk[Taxes.exe]
Virus:Trj/Mitglieder.DQ Not disinfected C:\Documents and Settings\Jiggles\Application Data\Thunderbird\Profiles\28y2nnrp.default\Mail\Local Folders\Junk[f5434.exe]
     
    chaslang, Mar 18, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Your version of Sun Java needs to be updated and then you need to uninstall any old versions. You can do this after fixing all malware.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lzqehipzdny.org//ix6QArXQ0YeGloY4lC88CLOL6Rja/F9b6jUgJRh/5LmxIiGQwB9cPq9RCZ0jotb.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wxeivqrvhjkzszty.com//ix6QArXQ0ZwmvJkrVFVT2JyUCE1v80wP6uFDaS/IYU.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {00000000-6C30-11D8-9363-000AE6309654} - (no file)
    O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {0410B48C-7914-B81D-D77B-4203EC0A2866} - (no file)
    O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} -
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2) -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} -

    After clicking Fix, exit HJT.

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Mar 18, 2006
    #3
  4. Snape

    Snape Private E-2

    Hi Chaslang,
    I don't know how to clean up those email folders manually - when I go into the directory those specific files (img001.scr etc.) are not there. There are files called Inbox.sbd ( a directory), Inbox (no extension), and Inbox.msg.
    I have reset websettings as you directed, and 'fixed' the appropriate entries in Hijackthis.
    I have rebooted, and it still runs slowly :(
    I will post my new Hijackthis log early tomorrow, I'm on my desktop at the moment.

    S
     
    Snape, Mar 18, 2006
    #4
  5. Snape

    Snape Private E-2

    I tried to run AdAware again this morning, and it still locks up on this directory:
    C:\Program Files\Common Files\System\Mapi\1033\NT
    I hav attached the latest Hijackthis log, when running safe mode.
     
    Snape, Mar 18, 2006
    #5
  6. Snape

    Snape Private E-2

    Uh, it won't let me attach the log.
     
    Snape, Mar 18, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds