Unable to connect to DB after cleaned up?!!

Welcome to Majorgeeks!

The log for Bitdefender that you posted is only a log summary and is not useful to us. If you followed the instructions in step 6 you would have gotten the full log showing what was found and where it was found. This would have been an html file in text format.

Did you add al those entries to your Hosts file? They seem more like malware and standard practices are to remove ann entries from the hosts file but I wanted to check with you first.

If you did not add those lines to the host file run the steps below with Hoster. Do they have something to do with ObjectStore?

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

MessengerPlus! 3 is discussed in step 0 of the READ & RUN ME. We always recommend uninstalling this application because it as infected thousands of people with malware including nasty LOP infections. It is supported by 3rd party malware and can mess you up big time.

Also look in Add/Remove programs for the below and uninstall if found.
Cashbar
cashdeluxe
Seaside Sunset ScreenSaver
Tibs cashdeluxe

Do you know what these next two processes are? Do they have something to do with ObjectStore?
F:\Asis1v11\BIN\tool\AprMonitorLicense.exe
O23 - Service: SDDServerService - Amtec - F:\Asis1v11\BIN\SDDServerService.exe

Why are you running without an antivirus and without a firewall?

You have some password stealing trojans installed. You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.


I need some feedback on the above before was continue?

 

If you slowly follow exactly word for word what it says there in step 6 you will not get a standard text summary like you are posting. You will get an html file (with a .txt extension) and it will contain more than just a summary. A summary only give virus names but does not say in what files or folders they were found.

You do notice however that your log this time is significant smaller which means all the previous issues mentioned where (or are ) now fixed.

All those O1 hosts lines are still in your log. Did you run Hoster? Are those lines related to some of this software you are using????

 

It is not MSN!!!! It is not Microsoft software. It is Messenger Plus, which is a third party addon to use with MSN Messenger. But it is sneakware (tries to pull the wool over your eyes and tricks you into installing malware).

Every computer on a network should still have a firewall and even more important its own AV. Things can spread behind your server firewall among the other computers. And if someone installs anything on a PC that has a virus in it, obviously with no AV you have no protection and all PCs can get infected especially if drives or folders are shared.

Yes! That is the reason for the warning. It is better to be safe than sorry.

From a different and hopefully uninfected PC???????

Since you have no firewall or AV, any PC in your network could have the same problems. And note, some of these kind of trojans even sneak past some AVs and firewalls. Sometimes this is because the software is not kept up to date, or Windows Updates are not maintained, or a user simply does something that they should not do.

 

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [SS1HelperStartUp] F:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1
O4 - HKLM\..\Run: [6fc2aaee.exe] F:\WINDOWS\System32\6fc2aaee.exe
O4 - HKLM\..\Run: [sysvx] F:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [rscn] F:\WINDOWS\System32\bum73.exe ymmud
O4 - HKLM\..\Run: [sachost] F:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [intell321.exe] F:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys1.exe
O4 - HKCU\..\Run: [CashFiesta] F:\Documents and Settings\AP100N01\My Documents\Cashfiesta.exe
O4 - HKCU\..\Run: [6fc2aaee.exe] F:\Documents and Settings\AP100N01\Local Settings\Application Data\6fc2aaee.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WinMedia] F:\WINDOWS\System32\vxgamet4.exe2560.exe
O4 - HKCU\..\Run: [Shell] "F:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://nprotect.ini3.com/nProtect/KeyCrypt/npkcx.cab
O20 - Winlogon Notify: access98 - access98.dll (file missing)
O20 - Winlogon Notify: App Management - F:\WINDOWS\system32\olbccp32.dll (file missing)
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - F:\WINDOWS\System32\dcom_14.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (some may not be found):
F:\PROGRA~1\SEASID~1 <--- this is the Seaside Sunset ScreenSaver folder. Delete the whole folder
F:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe <--- delete all files in this folder that begin with ibm000. There may be multiple .EXE files and some .DLL files.
F:\Documents and Settings\AP100N01\My Documents\Cashfiesta.exe
F:\Documents and Settings\AP100N01\Local Settings\Application Data\6fc2aaee.exe
F:\WINDOWS\System32\6fc2aaee.exe
F:\WINDOWS\System32\bum73.exe
F:\WINDOWS\System32\intell321.exe
F:\WINDOWS\System32\vxgamet4.exe2560.exe
F:\WINDOWS\system32\olbccp32.dll
F:\WINDOWS\System32\dcom_14.dll
F:\WINDOWS\sysvx_.exe
F:\WINDOWS\sachostx.exe
C:\Windows\xpupdate.exe
C:\\gimmysmileys1.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Everything I gave you to do is still in your log! It does not appear to me that you are remember to click Fix in HJT. Either that or one of two other things are the problem:

1) you do not have proper permissions (like Admin) to make the changes

2) something (like any malware prevention tool) is blocking the changes.

Note: I also thing the O1 hosts lines are related to the software you are using. You better double check. Not sure why the would put all those jibberish characters in there but notice how a couple lines contain text similar to your programs:
O1 - Hosts: 192.9.200.121 asis4-01 # ±ÏÀÞ FA¿ÌÄiŽ–j
O1 - Hosts: 192.9.200.131 asis2-01 # ±ÏÀÞ FA¿ÌÄiŽ–j

Are those IP address being shown part of your network?
How many PCs on the network?

Run the below on the PC that you use to change passwords (attach the two logs but make sure you make a point of reminding me that these are for the OTHER pc)

Using GetRunKey
Running Ewido Anti-Malware

 

Do you have Administrator priviledges? If not, you may not be able to do the changes.

If yes you are the Admin, after trying to use HJT to fix those items again, if they still appear, we will have to terminate or uninstall all active malware tools and then repeat the steps. There is also possibility that malware itself has changed registry editing permissions and that this is blocking the changes.

 

Big difference now! Huh?

Now it is clean!

How are things working now with all those baddies cleaned up?

 

Yes you really need to scan all of your PCs. The ibm000xxx stuff, sachostx, and sysvx_.exe stuff are real bad thinsg to have on your PC as I told you about passwords being stolen.

Read this:
http://www.liutilities.com/products/wintaskspro/processlibrary/sachostx/

sysvx_.exe is the same trojan as sachostx.exe

also see:
http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/

And xpupdate.exe spreads over network shares. See the below:
http://www.sophos.com/virusinfo/analyses/w32rbotqe.html

 

Yes that would be best!


You're welcome. Did you see message number 17 I just posted at the same time as you.

 

Right now I would be very careful about that. You (and anyone else using the PCs) should check with there financial institutions and credit card companies for any strange activity. Run Ewido on the PC just cleaned too!!!!

And as I pointed out with stuff in message # 17. You other PCs on the network could be infected. The only way to know is to check them.

You should run scans on ALL PCs. You could start with Ewido on all of them. Also look for youself at the Ewido log. Look for any of these trojans. You could even look at HJT logs on them to compare to the one we just cleaned. However do not start posting HJT logs for each one in this thread (at least not yet). It could get very confusing handling a bunch of PCs that way.

 

I see this PC at least has an antivirus installed! Looks clean from these snapshots.

 

Not sure what could be causing that. Since it still had no AV or firewalll and since we removed a load of malware, it should startup faster.

Try getting and Ewido log on it too. Let's see if anything else is hiding. Then also run the below and attach the log.



Download Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

You need to be Admin to run Blacklight!

What do you mean by "log into drive F"? Do you have multiple boot partitions?

If the problems only occur on certain user accounts and not others then it is more than likely a difference between what software applications you run for each user account. While each user account on a PC can be affected with malware differently, there are also some malware problems that can impact all accounts.

Which user account have we been cleaning? Is it an account with Administrator priviledges? Right now my best guess is that you have some kind of software or hardware issue not malware.

 

You're welcome. When you finally get it worked out, come back and tell us what the problem was.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!