virus/trojan taskbar and start menu not fully working

[nycste]

just updating this thread since no one here seems to care.

Originally posted by: mechBgon

Generally you'd start the program and then go to its Reports or Logs or whatever, and it would list them. visual example

The info you gave there indicates Trojans, which is not very surprising. People might run a Trojan and infect their own computer (infected warez, music files or video files containing exploits, etc), and that's up to them to wise up and stop being gullible idiots.

Exploits can also hit you with Trojans, and they are preventible/containable --> http://www.mechbgon.com/build/security2.html

At this point, you have your options. Fight your way forward, System-Restore your way back, or burn it to the ground and start over. If you are patient and can follow instructions exactly, then the CastleCops.com HijackThis forum has experts who would get you cleaned up, but it can be a lengthy process and requires restraint and self-discipline on your part to NOT go willy-nilly doing stuff they didn't tell you.

im glad your here and solving issues like this are really exciting for me. wow that sounded corny but yea its true. thanks for spending time trying to help you are helping and im learning about new sites and programs that help.

1. currently im running online fsecure test.

2. downloaded and installing

-Comodo BOClean Anti-Malware_4.25.exe

-AVG Anti-Spyware 7.5-7.5.1.43.exe

-avast! Virus Cleaner - free virus removal tool v1.0.211, built on 11.5.2007.exe

-SUPERAntiSpyware Version 3.9.1008 .exe

3. gonna install them all figure them out and run them.

4. im pretty sure im cleaned up but my issues remain soo maybe im not fully clean.

thanks for you help. ill keep this thread updated. and am interested in castlecops site.

[nycste]

its not much but just sharing more info.

SUPERAntiSpyware Scan Log

[L=http://www.superantispyware.com]http://www.superantispyware.com[/L]

Generated 09/07/2007 at 01:59 AM

Application Version : 3.9.1008

Core Rules Database Version : 3301

Trace Rules Database Version: 1307

Scan type : Custom Scan

Total Scan Time : 00:59:18

Memory items scanned : 518

Memory threats detected : 0

Registry items scanned : 5311

Registry threats detected : 25

File items scanned : 31672

File threats detected : 1

Unclassified.Oreans32

HKLM\System\ControlSet001\Services\oreans32

C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS

HKLM\System\CurrentControlSet\Services\oreans32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#DeviceDesc

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000#Capabilities

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000\Control

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32000\Control#ActiveService

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

i checked out the location of file

C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS

and it was last modified 8/24 way before i believe any infection happened which was 1/3days ago from a keygen.

according to the program it says this

Detected Item Description and Information

Listed below is basic information about the detected application/process. This application may not be safe to have on your system.

Summary : Unclassified.Oreans32.Process

Company : Unknown

Description : Unclassified.Oreans32 may be used for legitimate applications, but also for spyware - if you have this on your system, and you have another spyware infection, this is likley bad.

Threat Level (1-10) : 6

Processes : OREANS32.SYS

soo idk if oreans32 is good or bad. but thats all that the scanners found.

ran 3 new things and only this came up and fsecure online scan found something in my data folder not sure what it removed my firefox was messed up from that scan.

[nycste]

also was infected with c:\windows\system32\msnmsg.exe

this started up after i cleaned out the first stuff. after this nothing else showed up. but im running the 3 online scanners so far fsecure found nothing but 3 more to go.

[nycste]

results from 3 more online scanners found nothing important.

[nycste]

alright someone told me to install and run windows live onecare. installed scanned and nothing really came up.

so at this point i dont see how something is hiding in my system anymore and if possible just changed the folder settings and taskbar settings that arent allowing them too work. i have no idea what they are properly called any help there would be great.

id guess title bar, start bar or button and not sure what >> is called. those are the only things not working and wrong

[Tarun]

Moved to the correct forum.

nycste, please refer to this thread.

[nycste]

Moved to the correct forum.

nycste, please refer to this thread.

just wanted to say thanks. ill be reading it soon prob.

[thebigbluecan]

Another Idea that probably wont work.... Try changing the theme, To like the old style. as for the file, edit, ect. bar does it show up or pop down when you press the "alt" (alt

+F for file) key?

[nycste]

Another Idea that probably wont work.... Try changing the theme, To like the old style. as for the file, edit, ect. bar does it show up or pop down when you press the "alt" (alt

+F for file) key?

tried all that.

alt f does nothing

[nycste]

alright ive been finding more and more programs which help scan clean etc etc. programs you use after your infected and i run several scans daily for the past couple days trying to rid my system of whatever bug i have that appears to keep dodging all scan programs.

avg antispyware just found

C:\WINDOWS\system32\drivers\etc\wtf15\pnc.exe

its quarantined i think. this wtf15 folder has shown up on a few searches over the past couple days does anyone know if the folder itself is important can i just delete it?

here is a picture of said folder looking for advice.

just ran adaware se and it found nothing.

while keeping avg always running and i tried antivir as main AV for a few days and that worked well too just testing out diff programs since i plan on reformating anyway

[nycste]

[q]Originally posted by: NYCSTE2003

[Q]Originally posted by: mechBgon

Try uploading each file from that folder to the analyzer at [L=http://www.virustotal.com]http://www.virustotal.com[/L] and paste the resulting diagnoses for each file here. This should be interesting...[/Q]

will do thankyou.

running 3 programs now.

spybot search and destroy

spyware terminator

combofix

aboutbuster

Prevx2Agent.1.0.2.86

avg antitoolkit after reboot

[/q]

Edited September 12, 2007 by nycste

[nycste]

for some reason spybot wont do a full scan keep saying stopped by user. gonna see what happens after reboot.

also internet exploere tried to take over firefox again.

exploxer crashed.

checking all those files in dir wtf15. at vir ustotal.com

File 123.bat received on 09.12.2007 07:05:00 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

File 139.txt received on 09.12.2007 07:05:41 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

File fixt received on 09.12.2007 07:05:50 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

File httpget.exe received on 09.12.2007 07:06:08 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 7/32 (21.88%)

-details

AhnLab-V3 2007.9.11.1 2007.09.11 -

AntiVir 7.6.0.5 2007.09.12 -

Authentium 4.93.8 2007.09.12 Possibly a new variant of W32/CrazyCrunch-based!Maximus

Avast 4.7.1043.0 2007.09.11 -

AVG 7.5.0.485 2007.09.11 -

BitDefender 7.2 2007.09.12 -

CAT-QuickHeal 9.00 2007.09.11 (Suspicious) - DNAScan

ClamAV 0.91.2 2007.09.12 -

DrWeb 4.33 2007.09.11 -

eSafe 7.0.15.0 2007.09.11 suspicious Trojan/Worm

eTrust-Vet 31.1.5127 2007.09.12 -

Ewido 4.0 2007.09.11 -

FileAdvisor 1 2007.09.12 Low threat detected

Fortinet 3.11.0.0 2007.09.12 PossibleThreat

F-Prot 4.3.2.48 2007.09.12 -

F-Secure 6.70.13030.0 2007.09.11 -

Ikarus T3.1.1.12 2007.09.12 -

Kaspersky 4.0.2.24 2007.09.12 -

McAfee 5117 2007.09.11 -

Microsoft 1.2803 2007.09.12 -

NOD32v2 2523 2007.09.12 -

Norman 5.80.02 2007.09.11 -

Panda 9.0.0.4 2007.09.11 Suspicious file

Prevx1 V2 2007.09.12 -

Rising 19.40.20.00 2007.09.12 -

Sophos 4.21.0 2007.09.12 -

Sunbelt 2.2.907.0 2007.09.12 -

Symantec 10 2007.09.12 -

TheHacker 6.1.10.184 2007.09.11 -

VBA32 3.12.2.4 2007.09.12 -

VirusBuster 4.3.26:9 2007.09.11 -

Webwasher-Gateway 6.0.1 2007.09.12 Trojan.Downloader.Win32.Malware.gen (suspicious)

Additional information

File size: 17566 bytes

MD5: 7aa74d465d11a1c4308530eb13b19029

SHA1: 1918cb3e8b8dcc6d92f9b67f0ba784b70c10539f

Bit9 info: http://fileadvisor.bit9.com/services/extin...08530eb13b19029

packers: Aspack

[nycste]

File ntinstall.ini received on 09.12.2007 07:07:52 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

File qb.bat received on 09.12.2007 07:07:57 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

File qbkill.bat received on 09.12.2007 07:08:10 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

File smnt.scr received on 09.12.2007 07:08:23 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

File kill.bat received on 09.12.2007 07:07:43 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

File kill.exe received on 09.12.2007 07:07:48 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/32 (3.13%)

-details

Fortinet 3.11.0.0 2007.09.12 Misc/MSKILL

[nycste]

AppName: explorer.exe AppVer: 6.0.2900.3156 ModName: libavcodec.dll

ModVer: 0.0.0.0 Offset: 001f09a1

is the explorer crash

and update spybot is now working and scanning

[nycste]

File setup.exe received on 09.12.2007 07:08:36 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/32 (3.13%)

-details

Prevx1 V2 2007.09.12 Heuristic: Suspicious Hijacker