Tech Support Forum - View Single Post - ms-dos popups and security alert,computer is infected popup

tetonbob · 03-05-2006, 08:58 PM

Did you receive any error messages while trying to delete the files I had listed? They are all still present in the Kaspersky log. You also have a new infection. Please be careful of the sites you visit, you must be traveling in dark alleys.

Did you clear Firefox's cache? Do so again.

Clear the Firefox cache. Tools > Options > Privacy > Cache > Click on Clear.

Did you install the new hosts file as sUBs requested? Let's try again.....

First, Download Hoster.exe

Run Hoster.exe.

Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Original Hosts and then click OK.
Click the X to exit the program.

Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

------------------------------------------

Please download & Install - FixWareout.exe

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

FixWareOut will produce a logfile, report.txt located within the C:\fixwareout folder

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

O4 - HKCU\..\Run: [UnSpyPC] "E:\Program Files\UnSpyPC\UnSpyPC.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{47474C52-F2EE-473C-9283-546A0B832899}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E7DA7E0-0DA6-44BF-BDDC-A99674E697B3}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BA718BC-F239-4F7F-9BAF-EBC7CFF1F80D}: NameServer = 85.255.116.171,85.255.112.228

Reboot into safe mode.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found:

UnSpyPC

Delete these files/folders:

E:\Program Files\UnSpyPC
E:\Program Files\aim error ace
E:\WINDOWS\Downloaded Program Files\toolbar.dll
E:\WINDOWS\system32\cacore.dll
E:\WINDOWS\system32\desktrf-667279.exe
E:\WINDOWS\system32\winb2s32.dll
E:\WINDOWS\system32\winb2s33.dll

Reboot into normal mode now.

Is there some reason you're not using the Panda scan I've now requested twice? Is it failing to run for you?

I need a different online scan than Kaspersky now, as one will see what the other may not. Use the Panda scan, and post the results.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

If Panda fails, use this one:

TrendMicro™ HouseCall Java Scan

Please go HERE to run the scan.
Click Scan now. It's free!
Read and put a Check next to Yes, I accept the terms of use.
Click the Launching HouseCall>> button.
If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
You may receive a Security Warning about the TrendMicro Java applet, click YES.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you may be prompted to run the scan again, you can just close the browser window.

Run a new HijackThis scan. Save the log file and post it here.

Please return with logs from:

Wareout (report.txt)
Panda (if possible)
Housecall
HJT

03-05-2006, 08:58 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,795 OS: 2000 Pro; XP Pro; XP Home	Did you receive any error messages while trying to delete the files I had listed? They are all still present in the Kaspersky log. You also have a new infection. Please be careful of the sites you visit, you must be traveling in dark alleys. Did you clear Firefox's cache? Do so again. Clear the Firefox cache. Tools > Options > Privacy > Cache > Click on Clear. Did you install the new hosts file as sUBs requested? Let's try again..... First, Download Hoster.exe Run Hoster.exe. Click "Make Hosts Writable?" in the upper right corner (If available). Click Restore Original Hosts and then click OK. Click the X to exit the program. Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run. ------------------------------------------ Please download & Install - FixWareout.exe When you reach the final page of the installation process, make sure "Run fixit" is checked. Follow the on-screen prompts & reboot your computer when instructed to do so. Do not be alarmed if your computer takes longer than usual to load. FixWareOut will produce a logfile, report.txt located within the C:\fixwareout folder Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: O4 - HKCU\..\Run: [UnSpyPC] "E:\Program Files\UnSpyPC\UnSpyPC.exe" O17 - HKLM\System\CCS\Services\Tcpip\..\{47474C52-F2EE-473C-9283-546A0B832899}: NameServer = 85.255.116.171,85.255.112.228 O17 - HKLM\System\CCS\Services\Tcpip\..\{4E7DA7E0-0DA6-44BF-BDDC-A99674E697B3}: NameServer = 85.255.116.171,85.255.112.228 O17 - HKLM\System\CCS\Services\Tcpip\..\{5BA718BC-F239-4F7F-9BAF-EBC7CFF1F80D}: NameServer = 85.255.116.171,85.255.112.228 Reboot into safe mode. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found: UnSpyPC Delete these files/folders: E:\Program Files\UnSpyPC E:\Program Files\aim error ace E:\WINDOWS\Downloaded Program Files\toolbar.dll E:\WINDOWS\system32\cacore.dll E:\WINDOWS\system32\desktrf-667279.exe E:\WINDOWS\system32\winb2s32.dll E:\WINDOWS\system32\winb2s33.dll Reboot into normal mode now. Is there some reason you're not using the Panda scan I've now requested twice? Is it failing to run for you? I need a different online scan than Kaspersky now, as one will see what the other may not. Use the Panda scan, and post the results. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now** and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan If Panda fails, use this one: TrendMicro™ HouseCall Java Scan* Please go HERE to run the scan. Click Scan now. It's free! Read and put a Check next to Yes, I accept the terms of use. Click the Launching HouseCall>> button. If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button. You may receive a Security Warning about the TrendMicro Java applet, click YES. Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button. Please be patient while it installs, updates, and scans your system. Once the scan is complete, it will take you to the summary page. Under Cleanup options, choose clean all detected infections automatically. Click the Clean now>> button. If anything was found you may be prompted to run the scan again, you can just close the browser window. Run a new HijackThis scan. Save the log file and post it here. Please return with logs from: Wareout (report.txt) Panda (if possible) Housecall HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 03-05-2006 at 09:09 PM.