PLEASE HELP! UNINTENTIONALLY INFECTING OTHERS THROUGH AIM AWAY MESSAGE

Discussion in 'malware problems & news' started by j1281, Sep 12, 2004.

Thread Status:
Not open for further replies.
  1. j1281

    j1281 Registered Member

    Joined:
    May 18, 2004
    Posts:
    8
    Hey guys, I'm not sure what I got, but I know that a (or a few) trojan horses are involved and it's pretty nasty.

    I clicked a link on someone's profile that said something like "OMFG LOOK!!!" and it pulled up some website that prompted me to install a few things, which I did, then the first of many trojan horses was detected. In order to remove these using housecall and AVG, I had to disable a few related processes by pressing ctrl alt delete, and disabling them. Now when i press ctrl alt delete, nothing happens, so i'm thinking that function is being blocked somehow. A couple other symptoms i've seen is that it seems to keep regenerating itself after I have removed it using AVG, when I click on "my computer" then "C" drive, I notice a few peculiar looking files keep appearing over and over, such as "crash.txt", etc. If i delete them, they eventually come back as well as the trojan itself. Also, the "My Documents" folder opens twice on start-up every time I start the computer. Using Aol IM has become a nightmare, because my away message is being sporadically changed to the "OMFG LOOK!!!" link and others are contracting it, so i have basically stopped using AIM all the way around for now.
    The name of the trojan in my AVG virus vault right now is installer.exe. The first one i encountered was WINAD.exe. Any help would be GREATLY appreciated,
    John
    Here is the log from Hijackthis:

    Logfile of HijackThis v1.98.0
    Scan saved at 3:44:23 PM, on 9/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\documents and settings\john\local settings\temp\c4s.exe
    C:\documents and settings\john\local settings\temp\ennJ7mNyZ.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Save\Save.exe
    C:\WINDOWS\System32\ELIMIEXPLORER.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\John\Application Data\uote.exe
    C:\WINDOWS\System32\w?nlogon.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\John\Desktop\New Folder\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://paws003.lsu.edu/pawsloginform.nsf/pawsloginfs?openagent
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {60A0655A-B712-78C7-D256-6D557BAC266A} - C:\WINDOWS\System32\kkercbe.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\John\Local Settings\Temp\xb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [lcn] C:\WINDOWS\lcn.exe
    O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
    O4 - HKLM\..\Run: [c4s] C:\documents and settings\john\local settings\temp\c4s.exe
    O4 - HKLM\..\Run: [ennJ7mNyZ] C:\documents and settings\john\local settings\temp\ennJ7mNyZ.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O4 - HKLM\..\Run: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Rbbe] C:\Documents and Settings\John\Application Data\uote.exe
    O4 - HKCU\..\Run: [Eavppm] C:\WINDOWS\System32\w?nlogon.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\RunOnce: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...56fa9d809633:a4835914695e3eeec245bc6f8b5fbb1c
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
     
  2. j1281

    j1281 Registered Member

    Joined:
    May 18, 2004
    Posts:
    8
    P.S.

    The link that started all this mess is:

    hyperlink text: "OMFG LOOK!!!", which I have also seen disguised as
    "View my BuddyProfile"
    hyperlink URL: "http://www.affoundation.org/mybestfriends.scr

    I don't recommend visiting this link, I just figured i'd post it to warn others.
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you take the following steps:


    Step 1. Install Zone Alarm (free) – Firewall with visual outgoing alerts to see what is trying to access the internet.
    http://www.zonelabs.com


    Step 2. Download Stinger available here: do NOT run this YET.
    http://vil.nai.com/vil/stinger/


    Step 3. Turn OFF System Restore, this process depends on your operating system:


    Windows XP Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on the "System Restore"
    4. Place a tick in "Turn off System Restore on all Drives"
    5. Click OK
    6. Close and restart your system.


    OR


    Windows ME Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on "Performance"
    4. Click "File system"
    5. Click "Troubleshooting"
    6. Check "Disable system restore"
    7. Click on OK
    8. Close and restart your system.


    Step 4. Delete your TEMP files by doing the following: open up Internet Explorer> Tools> Internet Options> General TAB> Temporary Internet Files> Delete Files> Delete All Offline Content.


    Step 5. Restart your system again in “SAFE MODE” by pressing/tapping F8 while booting up


    Step 6. Run a scan with your current Anti-virus program – MAKE SURE IT IS FULLY UP TO DATE with the latest virus signatures.


    Step 7. Run a scan with “Stinger” the program you downloaded above.


    Step 8. Reboot your system into normal mode.


    Step 9. Run a further online scan found here: http://housecall.trendmicro.com/


    When everything is clean, it is recommended that you turn System Restore back on.


    Step 10. Install update and run the LATEST Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor.
    http://beam.to/spybotsd


    Step 11. Install update and run the LATEST Adaware (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will.
    http://www.lavasoftusa.com


    Step 12. Install and run CWShredder available here:
    https://www.wilderssecurity.com/showthread.php?t=14086


    Step 13. Make sure your Windows is FULLY up-to-date by doing the following: While on the Internet, Click on Internet Explorer (the Blue “e”), Click on Tools (on the bar at the top of your screen in Internet Explorer), Click on Windows Update. This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “Scan for Updates”. Install ALL “Critical Updates” and “Service Packs”.

    WEEKLY – check this is “Up to Date”.



    REPEAT ALL THE ABOVE STEPS, this time EVERYTHING should come up clean…



    IF the above does NOT fix your problem please download and run Hijack This found here:

    https://www.wilderssecurity.com/showthread.php?t=12516


    and post your log at one of the forums found here:

    http://a-sap.org/


    For the most part what I have suggested fixes the greater majority of problems out there...

    When your system is clean you may want to take a look here:

    https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

    for further discussion on security and how to make your system that much stronger.


    and here for more discussions:

    https://www.wilderssecurity.com/showthread.php?t=43117


    Hope this helps…

    Let us know how you go…

    Cheers :D
     
  4. j1281

    j1281 Registered Member

    Joined:
    May 18, 2004
    Posts:
    8
    Someone please analyze my Hijackthis log, I'm still having some problems

    I followed all of the steps listed in the reply to my previous thread, however I still can't shake this thing.

    Here's my Hijackthis log (I know active.exe is a main concern, but before I made any changes on my own I wanted an expert opinion, Thanks again)

    Logfile of HijackThis v1.98.0
    Scan saved at 2:48:10 AM, on 9/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\documents and settings\john\local settings\temp\c4s.exe
    C:\documents and settings\john\local settings\temp\ennJ7mNyZ.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ELIMIEXPLORER.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\John\Application Data\uote.exe
    C:\WINDOWS\System32\w?nlogon.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\John\Desktop\New Folder\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://paws003.lsu.edu/pawsloginform.nsf/pawsloginfs?openagent
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {60A0655A-B712-78C7-D256-6D557BAC266A} - C:\WINDOWS\System32\kkercbe.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\John\Local Settings\Temp\xb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [lcn] C:\WINDOWS\lcn.exe
    O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
    O4 - HKLM\..\Run: [c4s] C:\documents and settings\john\local settings\temp\c4s.exe
    O4 - HKLM\..\Run: [ennJ7mNyZ] C:\documents and settings\john\local settings\temp\ennJ7mNyZ.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O4 - HKLM\..\Run: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Rbbe] C:\Documents and Settings\John\Application Data\uote.exe
    O4 - HKCU\..\Run: [Eavppm] C:\WINDOWS\System32\w?nlogon.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\RunOnce: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...56fa9d809633:a4835914695e3eeec245bc6f8b5fbb1c
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re: Someone please analyze my Hijackthis log, I'm still having some problems

    Have you followed ALL the steps I posted?

    If you have followed my advice and are stilling having problems then at the end of my post you will see a link to post a Hijack This log, As Wilders no longer allows evaluation of such...

    Let us know how you go...

    Cheers :D
     
    Last edited by a moderator: Sep 13, 2004
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    If the proper use of tools like Stinger, Ad-aware and Spybot don't result in a clean system, then you need a detailed HijackThis Log analysis done. As mentioned above, Wilders does not do this any more so you'll need to follow-up at a forum that does provide such services. The forum list at the ASAP page is where you'll find other such forums.

    http://a-sap.org
     
  7. j1281

    j1281 Registered Member

    Joined:
    May 18, 2004
    Posts:
    8
    Yeah I followed all of the detailed steps, including going into safe mode and everything, but it seems to still exist even though no trojans are detected by AVG or Housecall because the My Documents folder is still opening up twice on start-up and my away message on AIM is still changing. I didn't realize Hijackthis logs were no longer posted here, i'll check out the other sites.
    Are there any you guys would recommend for this particular situation?
    Thanks,
    John
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Let us know how you go...

    Cheers :D
     
  10. j1281

    j1281 Registered Member

    Joined:
    May 18, 2004
    Posts:
    8
    Well on spywareinfoforum.com it keeps telling me I can't make a post because I "do not have permissions" to. None of these sites seem to have the same functionality as Wilders, just out of curiousity, why don't you guys analyze Hijackthis logs anymore?

    John
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    SpywareInfo, like many forums that process HijackThis logs, will have its own policies and procedures for how and where logs are posted. Many forums require that you register as a member. Most require that you follow their specific posting guidelines (ie. what pre-scans you need to run, what info you need to supply in your post, etc.).

    You should always review the guidelines at any forum you go to prior to starting to post.

    As for why we stopped doing these here, well it was a lot of factors, such as staffing levels and posting volumes. But it is explained more here:

    https://www.wilderssecurity.com/showthread.php?t=42175
     
  12. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    Doubt it helps but what I fount is that it is well what mcafee says anyway http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127174 . Do a google search for that WINAD.exe you will find alot of hits. If you could, I would submit that link to a av company and and that file that did all of this. I think most av companies do that at least I would hope so. I know mcafee will.
    https://www.webimmune.net/default.asp
    http://www.virustotal.com/flash/index_en.html
    http://www.ravantivirus.com/support/submit-file.php
    http://www.pandasecurity.com/submitvirus.htm
     
  13. j1281

    j1281 Registered Member

    Joined:
    May 18, 2004
    Posts:
    8
    I posted my log at CastleCops, and didn't get a reply on the actual log itself, but even more helpful a link to a site with detailed steps on how to remove this specific virus. My system is 100% clean now. Here's the link in case anyone else comes across the ElimiExplorer virus.

    http://www.geocities.com/cumquat18/elimiexplorer.html

    Thanks again and take care everyone,

    John
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
Loading...
Thread Status:
Not open for further replies.