Author Topic: Went to infected site, downloaded off of it, HELP  (Read 12033 times)

0 Members and 1 Guest are viewing this topic.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Went to infected site, downloaded off of it, HELP
« on: June 04, 2009, 09:52:53 PM »
Ok, I went to this site, downloaded a download, ran the installer and then it added all these weird shortcuts to my desktop. Including something dealing with speed up my PC and smileys. I uninstalled it right away and then removed the shortcuts to the sites.

Well, Firefox stopped responding. So when I restarted it, it had a new addon installed. I removed that right away. My hijack this log is in the attachment and if you want to examine the file, go here, hXXp://www.appleblossomart.net/XPStyles/Pink-Love-XPStyles.htm. Be warned that the site also has javascript coding that's malware. Be sure to have NoScript! Well, can you examine my hijack this logfile?

After I erased all of that, I went on WOT (Web Of Trust) and typed in the address. Well, it was rated yellow and two comments were saying it was a virus. So I added my comment about what happened. There is also something strange because now I can't go to YouTube. That's what made me suspicious. If you want I can download the installer file again and send it to Alwil.

But I still feel worried because it had something like spy in the addon. I can't remember the addon's name (sorry about that) and I might try Internet Explorer for the addon. But I don't know how to tell if a addon was installed in Internet Explorer or not because Firefox was looking like Firefox. All I wanted was a Vista style so my computer would look a little more like vista but I guess that plan failed.

Any advice plus why didn't Avast! detect the sites on my desktop and the software as suspicious? Should I try Malwarebytes' Antimalware and SuperAntiSpyware? Do I have hidden processes that Avast! didn't alert? Will my computer be ok if I restart? Thanks for your advice if you reply!

~Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Went to infected site, downloaded off of it, HELP
« Reply #1 on: June 04, 2009, 11:02:15 PM »
Well the analysis of the hjt log,

Check the following against virustotal if not legit fix:

C:\DOCUME~1\Donovan\LOCALS~1\Temp\MSI3CB.tmp   
Visitor's assessment Analyzerdetails

C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe
    
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Ycomp*_*_*_*.dll - Yahoo Companion!, Yahoo Companion!

O4 - HKLM\..\RunOnce: [aero] RunDll32.exe shell32.dll,Control_RunDLL desk.cpl,,2
   
   Unknown application. Check

O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
   Check if you know this site and fix it if you do not.
Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.
If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc,
it should be fixed!

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab  Spyware related and slow computer down
   
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
! Is safe, nuisance score o

023 - Service: SeekappSrch Service - Unknown owner - C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe
Your computer has been severely infected by malware, that is SEEKAPP139.EXE. This is quite dangerous and unsafe for your PC and there may be other infections on your PC. You should urgently check your PC and remove any malicious application including SEEKAPP139.EXE as soon as possible.
   Location : C:\Documents and Settings\All Users\Application Data\SeekappSrch\seekapp139.exe
Type : Malware
Dangerous : YES
Removal : Immediately
How to remove using ComboFix: http://forums.majorgeeks.com/showthread.php?p=1331439
Follow the instructions there to remove this from Firefox
KILLALL with ComboFix, look where these items are actually on your machine, and give these files and path in following the example below::

Driver::
seekapp139

File::
C:\Program Files\Mozilla Firefox\extensions\{4548ECB8-DA60-439A-A00D-5C893F8E1F9A}\chrome\seekapp.jar
C:\Program Files\Mozilla Firefox\searchplugins\seekapp139.xml
C:\Documents and Settings\All Users\Application Data\SeekappSrch\seekapp139.exe

Folder::
C:\Program Files\SeekappSrch

You will be known as the young malware fighter that learned cleansing the hard way, namely by self-infection, also know as the procedure of self-infliction,

polonus


   
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7087
  • Be alert for error code - ID 10T
Re: Went to infected site, downloaded off of it, HELP
« Reply #2 on: June 04, 2009, 11:08:13 PM »
***

Sooner or later, his computer is going to get infected with something that can not be fixed.


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Went to infected site, downloaded off of it, HELP
« Reply #3 on: June 04, 2009, 11:16:21 PM »
Hi CharleyO,

The only way some will be educated, vitro stands in the hallway 8) together with malware all sorts, nice couple, don't you think?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Went to infected site, downloaded off of it, HELP
« Reply #4 on: June 05, 2009, 12:42:07 AM »
Location: C:\DOCUME~1\Donovan\LOCALS~1\Temp\MSI3CB.tmp
Name: MSI3CB.tmp
VirusTotal Results
Stats: Virus Not Detected By Avast,
Action: Will be moved to chest and sent to Alwil.


Location: C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe
Name: seekapp139.exe
VirusTotal Results
Stats: Possible False Positive
Action: Send to Alwil just in case.

Name: O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Statics: Known but removed from computer.
Action: Deleted

Name: O4 - HKLM\..\RunOnce: [aero] RunDll32.exe shell32.dll,Control_RunDLL desk.cpl,,2
Statics: My Windows Vista Cursor for XP.
Action: No Action

Thats all I can do so far. ;)

I'll try using ComodoFix to remove it!
« Last Edit: June 05, 2009, 01:06:00 AM by Donovansrb10 »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Went to infected site, downloaded off of it, HELP
« Reply #5 on: June 05, 2009, 01:22:02 AM »
Hi Donovansrb10,

So from now on we only give you an indication of what could be wrong or what not, the investigating, the malware cleansing etc. you have to do on your own. That is the best way to get organized.
One day in the future you will also turn to SafeHex, first just build your own convictions,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Went to infected site, downloaded off of it, HELP
« Reply #6 on: June 06, 2009, 01:31:04 AM »
Used ComboFix but I fell asleep while it was cleaning. Where does it save the log?
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Went to infected site, downloaded off of it, HELP
« Reply #7 on: June 07, 2009, 12:13:45 AM »
Look for ComboFix.txt with the search function of your computer, you may find it that way,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Went to infected site, downloaded off of it, HELP
« Reply #8 on: June 07, 2009, 02:01:12 AM »
I coulden't find combofix.txt...
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Went to infected site, downloaded off of it, HELP
« Reply #9 on: June 07, 2009, 03:32:58 PM »
Look for log.txt then,

p
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Went to infected site, downloaded off of it, HELP
« Reply #10 on: June 08, 2009, 12:46:03 AM »
I only found this log.txt:


 11:8:9.140 **************************   

 11:8:9.140 *       P.L.F.S.         *   

 11:8:9.140 * Polygon LogFile System *   

 11:8:9.140 *        2000            *   

 11:8:9.140 **************************   

 11:8:9.140   

 11:8:9.765 INFO:  INFO:  Begin Surface init 

 11:8:9.765 INFO:  new SaianSound   

 11:8:10.109 INFO:  READ:  attenteZomb.anm 

 11:8:10.171 INFO:  READ:  attenteZomb2.anm 

 11:8:10.171 INFO:  READ:  pris.anm 

 11:8:10.218 INFO:  READ:  PitiZomb1.anm 

 11:8:10.280 INFO:  READ:  PitiZomb2.anm 

 11:8:10.296 INFO:  READ:  PitiZomb3.anm 

 11:8:10.640 INFO:  Read to rumble   

 11:8:22.609 INFO:  interface : 1   

 11:8:48.234 INFO:  Queued Speech :  sounds\ope11.6.wav 

 11:8:48.234 INFO:  Queued Speech :  sounds\zbv11.wav 

 11:9:16.609 INFO:  CREDITS !!!   

 11:9:23.562   

 11:9:23.562 *******************   

 11:9:23.562 * PLFS terminated *   

 11:9:23.562 *******************   

 11:9:23.562   
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Went to infected site, downloaded off of it, HELP
« Reply #11 on: June 08, 2009, 12:48:27 AM »
Hi d,

It should be in the folder where ComboFix is. Else you could run ComboFix again and publish that logfile txt here,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Went to infected site, downloaded off of it, HELP
« Reply #12 on: June 08, 2009, 12:52:03 AM »
I'll try running ComboFix again but it may have a error since a virus made me lose administrator stats...
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline +AdDicT+

  • Anime Otaku!
  • Advanced Poster
  • **
  • Posts: 710
  • Defense is the best offense!
    • Watch anime^^
Re: Went to infected site, downloaded off of it, HELP
« Reply #13 on: June 08, 2009, 06:02:15 AM »
Hope that ur problem will be fixed soon^^

God Bless u...

-AnimeLover^^
Currently watching: Detective Conan, Maoyuu Mao Yuusha, and many others!
Avast 9.x Free, Windows Firewall, Firefox 24.x, Win 7 Ultimate
Last updated: Oct 24, 2013

Offline .: L' arc :.

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1780
  • Thinking with Portals
Re: Went to infected site, downloaded off of it, HELP
« Reply #14 on: June 08, 2009, 06:14:56 AM »
I'll try running ComboFix again but it may have a error since a virus made me lose administrator stats...

-= Boot into safemode & login as th user with the name Administrator.. Then go to control panel & change your account type to Computer administrator.. Reboot..
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1