Deathware help!!

willd58 · 15 Jul 2006 at 21:58

Hi, iv been infected with a horrible program, i have no idea how, but now my ctrl alt del doesnt work, hi jack this wont run, ad aware wont run, spy bot S & D runs, finds loads of things, but doesnt kill it. Im really stuck as to what to do, can someone please help! I really dont wana have to format. Adverts are popping up from IE every 10 to 30 seconds :mad:

Retorted · 15 Jul 2006 at 22:00

Have you tried running them in safe mode?

Is it possible to do a system restore?

willd58 · 15 Jul 2006 at 22:18

It turned system restore off and deleted all the old points :/

Iv got it into safe mode, but in safe mode my PC cant use its wireless, so dont have internet, ran S&D in safe mode because it was all updated, i also ran hi jack this in safe mode. if i post my results will anyone on here be able to help? Thanks.

Edit- it wont let me open my hi jack this in note pad, it shuts to quickly :/

heres it copy and pasted from word.

Logfile of HijackThis v1.99.1
Scan saved at 22:12:01, on 15/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Will\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [rmalt] C:\Program Files\Messengers\Keygen.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148329380838
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

Meatball · 15 Jul 2006 at 22:34

O4 - HKLM\..\Run: [rmalt] C:\Program Files\Messengers\Keygen.exe - doesn't look good to me :confused:

Scythe · 15 Jul 2006 at 22:35

Im no Hijack This expert, but by the looks of it, the following need to go.

Code:

O4 - HKLM\..\Run: [rmalt] C:\Program Files\Messengers\Keygen.exe

Code:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Code:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

as i said, I'm no expert but The Kid seems to be good at managing hjt logs so tbh i'd wait before his advice on my actions.

willd58 · 15 Jul 2006 at 22:35

Right, that hijack this report was done in safe mode, apparently thats a no no and Hi jack this wont run in normal mode, it opens then shuts straight away :/

Scythe · 15 Jul 2006 at 22:36

Lost-Prophet said:
O4 - HKLM\..\Run: [rmalt] C:\Program Files\Messengers\Keygen.exe - doesn't look good to me

I admit, I missed it 1st time then i looked again and saw Keygen and thought :confused:

followed by :eek:

Scythe · 15 Jul 2006 at 22:37

willd58 said:
Right, that hijack this report was done in safe mode, apparently thats a no no and Hi jack this wont run in normal mode, it opens then shuts straight away :/

Looks like the malware is intelligent in the fact it shuts anti malware/virus programs down.

Meatball · 15 Jul 2006 at 22:37

Scythe said:
I admit, I missed it 1st time then i looked again and saw Keygen and thought followed by

I've tried googling but got mostly "keygen for this game" but I found this: read me . I would stop it

willd58 · 15 Jul 2006 at 22:40

Yep thats exactly it, how do i kill it, just deleting it wont work.

Toytown · 15 Jul 2006 at 22:57

depends on how bad the file is latched to the system.

In safe mode, some things ive done before are renaming the file to keygen.txt, then kill it in taskmanager. When it immediately tries to restart it will open the notepad file or something, but then the program is not loaded, so you can just close it and then delete the file and then it shouldnt be anymore bother.

You could also try using "unlocker" to delete the file, its a free download available at ccollomb.free.fr

If you still have problems getting rid of the file and it will not let you delete the file at all, then you can boot from the windows XP install CD, select recovery console, and then delete the file in that (you have to use DOS commands to do this), although to be honest, you should only need the 3 commands CD/DEL/ATTRIB , i have found this way works 100% of the time, as windows isnt yet loaded and the virus/trojan can not do anything.

Meatball · 15 Jul 2006 at 22:58

willd58 said:
Yep thats exactly it, how do i kill it, just deleting it wont work.

have you tried searching for the file (keygen.exe) in safe mode and deleting it?

Scythe · 15 Jul 2006 at 23:29

Use KillBox, If that doesnt kill it, nothing will.

Killbox said:
Download this file, extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

Also, if not already ticked, tick Delete on Reboot

http://download.bleepingcomputer.com/spyware/KillBox.zip

willd58 · 16 Jul 2006 at 00:14

Scythe said:
Use KillBox, If that doesnt kill it, nothing will.

Also, if not already ticked, tick Delete on Reboot

http://download.bleepingcomputer.com/spyware/KillBox.zip

Ah yea, thats killed it well and good i think. The only thing is, now im missing my run button on the start menu?!

Ad awares running as we speak.

willd58 · 16 Jul 2006 at 00:22

and i cant Ctrl alt del, it says its been denied by admin :/

benjo plz. · 16 Jul 2006 at 00:31

You need to enable that through regedit.

You need to be logged on as you, and go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
the key you want is DisableTaskMgr and it needs to be set to 0

.