Avast WEBforum
Other => Viruses and worms => Topic started by: !Donovan on June 04, 2009, 09:52:53 PM
-
Ok, I went to this site, downloaded a download, ran the installer and then it added all these weird shortcuts to my desktop. Including something dealing with speed up my PC and smileys. I uninstalled it right away and then removed the shortcuts to the sites.
Well, Firefox stopped responding. So when I restarted it, it had a new addon installed. I removed that right away. My hijack this log is in the attachment and if you want to examine the file, go here, hXXp://www.appleblossomart.net/XPStyles/Pink-Love-XPStyles.htm. Be warned that the site also has javascript coding that's malware. Be sure to have NoScript! Well, can you examine my hijack this logfile?
After I erased all of that, I went on WOT (Web Of Trust) and typed in the address. Well, it was rated yellow and two comments were saying it was a virus. So I added my comment about what happened. There is also something strange because now I can't go to YouTube. That's what made me suspicious. If you want I can download the installer file again and send it to Alwil.
But I still feel worried because it had something like spy in the addon. I can't remember the addon's name (sorry about that) and I might try Internet Explorer for the addon. But I don't know how to tell if a addon was installed in Internet Explorer or not because Firefox was looking like Firefox. All I wanted was a Vista style so my computer would look a little more like vista but I guess that plan failed.
Any advice plus why didn't Avast! detect the sites on my desktop and the software as suspicious? Should I try Malwarebytes' Antimalware and SuperAntiSpyware? Do I have hidden processes that Avast! didn't alert? Will my computer be ok if I restart? Thanks for your advice if you reply!
~Donovan
-
Well the analysis of the hjt log,
Check the following against virustotal if not legit fix:
C:\DOCUME~1\Donovan\LOCALS~1\Temp\MSI3CB.tmp
Visitor's assessment Analyzerdetails
C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Ycomp*_*_*_*.dll - Yahoo Companion!, Yahoo Companion!
O4 - HKLM\..\RunOnce: [aero] RunDll32.exe shell32.dll,Control_RunDLL desk.cpl,,2
Unknown application. Check
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
Check if you know this site and fix it if you do not.
Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.
If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc,
it should be fixed!
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab Spyware related and slow computer down
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
! Is safe, nuisance score o
023 - Service: SeekappSrch Service - Unknown owner - C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe
Your computer has been severely infected by malware, that is SEEKAPP139.EXE. This is quite dangerous and unsafe for your PC and there may be other infections on your PC. You should urgently check your PC and remove any malicious application including SEEKAPP139.EXE as soon as possible.
Location : C:\Documents and Settings\All Users\Application Data\SeekappSrch\seekapp139.exe
Type : Malware
Dangerous : YES
Removal : Immediately
How to remove using ComboFix: http://forums.majorgeeks.com/showthread.php?p=1331439
Follow the instructions there to remove this from Firefox
KILLALL with ComboFix, look where these items are actually on your machine, and give these files and path in following the example below::
Driver::
seekapp139
File::
C:\Program Files\Mozilla Firefox\extensions\{4548ECB8-DA60-439A-A00D-5C893F8E1F9A}\chrome\seekapp.jar
C:\Program Files\Mozilla Firefox\searchplugins\seekapp139.xml
C:\Documents and Settings\All Users\Application Data\SeekappSrch\seekapp139.exe
Folder::
C:\Program Files\SeekappSrch
You will be known as the young malware fighter that learned cleansing the hard way, namely by self-infection, also know as the procedure of self-infliction,
polonus
-
***
Sooner or later, his computer is going to get infected with something that can not be fixed.
***
-
Hi CharleyO,
The only way some will be educated, vitro stands in the hallway 8) together with malware all sorts, nice couple, don't you think?
polonus
-
Location: C:\DOCUME~1\Donovan\LOCALS~1\Temp\MSI3CB.tmp
Name: MSI3CB.tmp
VirusTotal Results (http://www.virustotal.com/analisis/a549593a1eea91283dad3962699d46b78a81ba740612dcb6faa2acca85dd889e-1244153228)
Stats: Virus Not Detected By Avast,
Action: Will be moved to chest and sent to Alwil.
Location: C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe
Name: seekapp139.exe
VirusTotal Results (http://www.virustotal.com/analisis/f3b4c7c8fc180213d3fb6f23a4b09a3a9205111d83a4ec3665bac240442bccc2-1244153396)
Stats: Possible False Positive
Action: Send to Alwil just in case.
Name: O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Statics: Known but removed from computer.
Action: Deleted
Name: O4 - HKLM\..\RunOnce: [aero] RunDll32.exe shell32.dll,Control_RunDLL desk.cpl,,2
Statics: My Windows Vista Cursor for XP.
Action: No Action
Thats all I can do so far. ;)
I'll try using ComodoFix to remove it!
-
Hi Donovansrb10,
So from now on we only give you an indication of what could be wrong or what not, the investigating, the malware cleansing etc. you have to do on your own. That is the best way to get organized.
One day in the future you will also turn to SafeHex, first just build your own convictions,
polonus
-
Used ComboFix but I fell asleep while it was cleaning. Where does it save the log?
-
Look for ComboFix.txt with the search function of your computer, you may find it that way,
polonus
-
I coulden't find combofix.txt...
-
Look for log.txt then,
p
-
I only found this log.txt:
11:8:9.140 **************************
11:8:9.140 * P.L.F.S. *
11:8:9.140 * Polygon LogFile System *
11:8:9.140 * 2000 *
11:8:9.140 **************************
11:8:9.140
11:8:9.765 INFO: INFO: Begin Surface init
11:8:9.765 INFO: new SaianSound
11:8:10.109 INFO: READ: attenteZomb.anm
11:8:10.171 INFO: READ: attenteZomb2.anm
11:8:10.171 INFO: READ: pris.anm
11:8:10.218 INFO: READ: PitiZomb1.anm
11:8:10.280 INFO: READ: PitiZomb2.anm
11:8:10.296 INFO: READ: PitiZomb3.anm
11:8:10.640 INFO: Read to rumble
11:8:22.609 INFO: interface : 1
11:8:48.234 INFO: Queued Speech : sounds\ope11.6.wav
11:8:48.234 INFO: Queued Speech : sounds\zbv11.wav
11:9:16.609 INFO: CREDITS !!!
11:9:23.562
11:9:23.562 *******************
11:9:23.562 * PLFS terminated *
11:9:23.562 *******************
11:9:23.562
-
Hi d,
It should be in the folder where ComboFix is. Else you could run ComboFix again and publish that logfile txt here,
polonus
-
I'll try running ComboFix again but it may have a error since a virus made me lose administrator stats...
-
Hope that ur problem will be fixed soon^^
God Bless u...
-AnimeLover^^
-
I'll try running ComboFix again but it may have a error since a virus made me lose administrator stats...
-= Boot into safemode & login as th user with the name Administrator.. Then go to control panel & change your account type to Computer administrator.. Reboot..
-
I'll try running ComboFix again but it may have a error since a virus made me lose administrator stats...
-= Boot into safemode & login as th user with the name Administrator.. Then go to control panel & change your account type to Computer administrator.. Reboot..
Whats the administrator password? ???
I think a while ago a virus removed my safemode.
-
I sense a re-install on the horizon.
Sorry to say, not very surprised.
I'd look at a full format and fresh install.
Maybe you can fix it, I don't know. I certainly wouldn't try at this point. You've borked it.
-
Don't think able to remove Safe Mode. Check jumpers for starters. Begin and boot up of single HDD, your system drive - should be C:\
Unclip the rest can add back on later. Sort out C:\ first.
Go cmos for setup when your computer posts, and check your IDE or SATA disks because you should be able to boot into Safe Mode. If you can't, then the intrusion could be nasty.
Anything from logs yet?
-
After reading some of his threads i realized that he keeps getting infected time and time again. Will he ever learn ?
@Donovansrb10: Why are you asking us what the admin password is on your computer ? How are we supposed to know ? I am assuming you were able to get into safe mode if you are asking for the admin password ?
A combofix log would be nice.
-
BTW ComboFix log should be located at C:\ComboFix.txt ...
-
Ok, I found my old log! I'll try ComboFix again!
-
Did you manage to get into Safe Mode ?
-
Did you manage to get into Safe Mode ?
no.
-
What does that F12 key that you were talking about do ?
-
What does that F12 key that you were talking about do ?
Opens the boot-up options, normal, network, edc...