nycste Posted September 7, 2007 Author Share Posted September 7, 2007 just updating this thread since no one here seems to care.Originally posted by: mechBgonGenerally you'd start the program and then go to its Reports or Logs or whatever, and it would list them. visual exampleThe info you gave there indicates Trojans, which is not very surprising. People might run a Trojan and infect their own computer (infected warez, music files or video files containing exploits, etc), and that's up to them to wise up and stop being gullible idiots.Exploits can also hit you with Trojans, and they are preventible/containable --> http://www.mechbgon.com/build/security2.htmlAt this point, you have your options. Fight your way forward, System-Restore your way back, or burn it to the ground and start over. If you are patient and can follow instructions exactly, then the CastleCops.com HijackThis forum has experts who would get you cleaned up, but it can be a lengthy process and requires restraint and self-discipline on your part to NOT go willy-nilly doing stuff they didn't tell you.im glad your here and solving issues like this are really exciting for me. wow that sounded corny but yea its true. thanks for spending time trying to help you are helping and im learning about new sites and programs that help.1. currently im running online fsecure test.2. downloaded and installing-Comodo BOClean Anti-Malware_4.25.exe-AVG Anti-Spyware 7.5-7.5.1.43.exe-avast! Virus Cleaner - free virus removal tool v1.0.211, built on 11.5.2007.exe-SUPERAntiSpyware Version 3.9.1008 .exe3. gonna install them all figure them out and run them.4. im pretty sure im cleaned up but my issues remain soo maybe im not fully clean.thanks for you help. ill keep this thread updated. and am interested in castlecops site. Link to comment Share on other sites More sharing options...
nycste Posted September 7, 2007 Author Share Posted September 7, 2007 its not much but just sharing more info. SUPERAntiSpyware Scan Log[L=http://www.superantispyware.com]http://www.superantispyware.com[/L]Generated 09/07/2007 at 01:59 AMApplication Version : 3.9.1008Core Rules Database Version : 3301Trace Rules Database Version: 1307Scan type : Custom ScanTotal Scan Time : 00:59:18Memory items scanned : 518Memory threats detected : 0Registry items scanned : 5311Registry threats detected : 25File items scanned : 31672File threats detected : 1Unclassified.Oreans32 HKLM\System\ControlSet001\Services\oreans32 C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS HKLM\System\CurrentControlSet\Services\oreans32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#Capabilities HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000\Control HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000\Control#ActiveService HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0 HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstancei checked out the location of file C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYSand it was last modified 8/24 way before i believe any infection happened which was 1/3days ago from a keygen.according to the program it says this Detected Item Description and InformationListed below is basic information about the detected application/process. This application may not be safe to have on your system.Summary : Unclassified.Oreans32.ProcessCompany : UnknownDescription : Unclassified.Oreans32 may be used for legitimate applications, but also for spyware - if you have this on your system, and you have another spyware infection, this is likley bad.Threat Level (1-10) : 6Processes : OREANS32.SYSsoo idk if oreans32 is good or bad. but thats all that the scanners found.ran 3 new things and only this came up and fsecure online scan found something in my data folder not sure what it removed my firefox was messed up from that scan. Link to comment Share on other sites More sharing options...
nycste Posted September 7, 2007 Author Share Posted September 7, 2007 also was infected with c:\windows\system32\msnmsg.exe this started up after i cleaned out the first stuff. after this nothing else showed up. but im running the 3 online scanners so far fsecure found nothing but 3 more to go. Link to comment Share on other sites More sharing options...
nycste Posted September 7, 2007 Author Share Posted September 7, 2007 results from 3 more online scanners found nothing important. Link to comment Share on other sites More sharing options...
nycste Posted September 8, 2007 Author Share Posted September 8, 2007 alright someone told me to install and run windows live onecare. installed scanned and nothing really came up.so at this point i dont see how something is hiding in my system anymore and if possible just changed the folder settings and taskbar settings that arent allowing them too work. i have no idea what they are properly called any help there would be great.id guess title bar, start bar or button and not sure what >> is called. those are the only things not working and wrong Link to comment Share on other sites More sharing options...
Tarun Posted September 8, 2007 Share Posted September 8, 2007 Moved to the correct forum.nycste, please refer to this thread. Link to comment Share on other sites More sharing options...
nycste Posted September 8, 2007 Author Share Posted September 8, 2007 Moved to the correct forum.nycste, please refer to this thread. just wanted to say thanks. ill be reading it soon prob. Link to comment Share on other sites More sharing options...
thebigbluecan Posted September 8, 2007 Share Posted September 8, 2007 Another Idea that probably wont work.... Try changing the theme, To like the old style. as for the file, edit, ect. bar does it show up or pop down when you press the "alt" (alt +F for file) key? Link to comment Share on other sites More sharing options...
nycste Posted September 8, 2007 Author Share Posted September 8, 2007 Another Idea that probably wont work.... Try changing the theme, To like the old style. as for the file, edit, ect. bar does it show up or pop down when you press the "alt" (alt +F for file) key?tried all that.alt f does nothing Link to comment Share on other sites More sharing options...
nycste Posted September 12, 2007 Author Share Posted September 12, 2007 alright ive been finding more and more programs which help scan clean etc etc. programs you use after your infected and i run several scans daily for the past couple days trying to rid my system of whatever bug i have that appears to keep dodging all scan programs.avg antispyware just found C:\WINDOWS\system32\drivers\etc\wtf15\pnc.exeits quarantined i think. this wtf15 folder has shown up on a few searches over the past couple days does anyone know if the folder itself is important can i just delete it?here is a picture of said folder looking for advice.just ran adaware se and it found nothing.while keeping avg always running and i tried antivir as main AV for a few days and that worked well too just testing out diff programs since i plan on reformating anyway Link to comment Share on other sites More sharing options...
nycste Posted September 12, 2007 Author Share Posted September 12, 2007 (edited) [q]Originally posted by: NYCSTE2003[Q]Originally posted by: mechBgonTry uploading each file from that folder to the analyzer at [L=http://www.virustotal.com]http://www.virustotal.com[/L] and paste the resulting diagnoses for each file here. This should be interesting...[/Q]will do thankyou.running 3 programs now.spybot search and destroy spyware terminatorcombofixaboutbusterPrevx2Agent.1.0.2.86avg antitoolkit after reboot[/q] Edited September 12, 2007 by nycste Link to comment Share on other sites More sharing options...
nycste Posted September 12, 2007 Author Share Posted September 12, 2007 for some reason spybot wont do a full scan keep saying stopped by user. gonna see what happens after reboot.also internet exploere tried to take over firefox again.exploxer crashed.checking all those files in dir wtf15. at vir ustotal.comFile 123.bat received on 09.12.2007 07:05:00 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 0/32 (0%)File 139.txt received on 09.12.2007 07:05:41 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 0/32 (0%)File fixt received on 09.12.2007 07:05:50 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 0/32 (0%)File httpget.exe received on 09.12.2007 07:06:08 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 7/32 (21.88%)-detailsAhnLab-V3 2007.9.11.1 2007.09.11 -AntiVir 7.6.0.5 2007.09.12 -Authentium 4.93.8 2007.09.12 Possibly a new variant of W32/CrazyCrunch-based!MaximusAvast 4.7.1043.0 2007.09.11 -AVG 7.5.0.485 2007.09.11 -BitDefender 7.2 2007.09.12 -CAT-QuickHeal 9.00 2007.09.11 (Suspicious) - DNAScanClamAV 0.91.2 2007.09.12 -DrWeb 4.33 2007.09.11 -eSafe 7.0.15.0 2007.09.11 suspicious Trojan/WormeTrust-Vet 31.1.5127 2007.09.12 -Ewido 4.0 2007.09.11 -FileAdvisor 1 2007.09.12 Low threat detectedFortinet 3.11.0.0 2007.09.12 PossibleThreatF-Prot 4.3.2.48 2007.09.12 -F-Secure 6.70.13030.0 2007.09.11 -Ikarus T3.1.1.12 2007.09.12 -Kaspersky 4.0.2.24 2007.09.12 -McAfee 5117 2007.09.11 -Microsoft 1.2803 2007.09.12 -NOD32v2 2523 2007.09.12 -Norman 5.80.02 2007.09.11 -Panda 9.0.0.4 2007.09.11 Suspicious filePrevx1 V2 2007.09.12 -Rising 19.40.20.00 2007.09.12 -Sophos 4.21.0 2007.09.12 -Sunbelt 2.2.907.0 2007.09.12 -Symantec 10 2007.09.12 -TheHacker 6.1.10.184 2007.09.11 -VBA32 3.12.2.4 2007.09.12 -VirusBuster 4.3.26:9 2007.09.11 -Webwasher-Gateway 6.0.1 2007.09.12 Trojan.Downloader.Win32.Malware.gen (suspicious)Additional informationFile size: 17566 bytesMD5: 7aa74d465d11a1c4308530eb13b19029SHA1: 1918cb3e8b8dcc6d92f9b67f0ba784b70c10539fBit9 info: http://fileadvisor.bit9.com/services/extin...08530eb13b19029packers: Aspack Link to comment Share on other sites More sharing options...
nycste Posted September 12, 2007 Author Share Posted September 12, 2007 File ntinstall.ini received on 09.12.2007 07:07:52 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 0/32 (0%)File qb.bat received on 09.12.2007 07:07:57 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 0/32 (0%)File qbkill.bat received on 09.12.2007 07:08:10 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 0/32 (0%)File smnt.scr received on 09.12.2007 07:08:23 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 0/32 (0%)File kill.bat received on 09.12.2007 07:07:43 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 0/32 (0%)File kill.exe received on 09.12.2007 07:07:48 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 1/32 (3.13%)-detailsFortinet 3.11.0.0 2007.09.12 Misc/MSKILL Link to comment Share on other sites More sharing options...
nycste Posted September 12, 2007 Author Share Posted September 12, 2007 AppName: explorer.exe AppVer: 6.0.2900.3156 ModName: libavcodec.dllModVer: 0.0.0.0 Offset: 001f09a1is the explorer crashand update spybot is now working and scanning Link to comment Share on other sites More sharing options...
nycste Posted September 12, 2007 Author Share Posted September 12, 2007 File setup.exe received on 09.12.2007 07:08:36 (CET)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPEDResult: 1/32 (3.13%)-detailsPrevx1 V2 2007.09.12 Heuristic: Suspicious Hijacker Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now