Went to infected site, downloaded off of it, HELP

Ok, I went to this site, downloaded a download, ran the installer and then it added all these weird shortcuts to my desktop. Including something dealing with speed up my PC and smileys. I uninstalled it right away and then removed the shortcuts to the sites.

Well, Firefox stopped responding. So when I restarted it, it had a new addon installed. I removed that right away. My hijack this log is in the attachment and if you want to examine the file, go here, hXXp://www.appleblossomart.net/XPStyles/Pink-Love-XPStyles.htm. Be warned that the site also has javascript coding that’s malware. Be sure to have NoScript! Well, can you examine my hijack this logfile?

After I erased all of that, I went on WOT (Web Of Trust) and typed in the address. Well, it was rated yellow and two comments were saying it was a virus. So I added my comment about what happened. There is also something strange because now I can’t go to YouTube. That’s what made me suspicious. If you want I can download the installer file again and send it to Alwil.

But I still feel worried because it had something like spy in the addon. I can’t remember the addon’s name (sorry about that) and I might try Internet Explorer for the addon. But I don’t know how to tell if a addon was installed in Internet Explorer or not because Firefox was looking like Firefox. All I wanted was a Vista style so my computer would look a little more like vista but I guess that plan failed.

Any advice plus why didn’t Avast! detect the sites on my desktop and the software as suspicious? Should I try Malwarebytes’ Antimalware and SuperAntiSpyware? Do I have hidden processes that Avast! didn’t alert? Will my computer be ok if I restart? Thanks for your advice if you reply!

~Donovan

Well the analysis of the hjt log,

Check the following against virustotal if not legit fix:

C:\DOCUME~1\Donovan\LOCALS~1\Temp\MSI3CB.tmp
Visitor’s assessment Analyzerdetails

C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Ycomp**_.dll - Yahoo Companion!, Yahoo Companion!

O4 - HKLM..\RunOnce: [aero] RunDll32.exe shell32.dll,Control_RunDLL desk.cpl,2

Unknown application. Check

O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
Check if you know this site and fix it if you do not.
Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.
If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc,
it should be fixed!

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab Spyware related and slow computer down

Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
! Is safe, nuisance score o

023 - Service: SeekappSrch Service - Unknown owner - C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe
Your computer has been severely infected by malware, that is SEEKAPP139.EXE. This is quite dangerous and unsafe for your PC and there may be other infections on your PC. You should urgently check your PC and remove any malicious application including SEEKAPP139.EXE as soon as possible.
Location : C:\Documents and Settings\All Users\Application Data\SeekappSrch\seekapp139.exe
Type : Malware
Dangerous : YES
Removal : Immediately
How to remove using ComboFix: http://forums.majorgeeks.com/showthread.php?p=1331439
Follow the instructions there to remove this from Firefox
KILLALL with ComboFix, look where these items are actually on your machine, and give these files and path in following the example below::

Driver::
seekapp139

File::
C:\Program Files\Mozilla Firefox\extensions{4548ECB8-DA60-439A-A00D-5C893F8E1F9A}\chrome\seekapp.jar
C:\Program Files\Mozilla Firefox\searchplugins\seekapp139.xml
C:\Documents and Settings\All Users\Application Data\SeekappSrch\seekapp139.exe

Folder::
C:\Program Files\SeekappSrch

You will be known as the young malware fighter that learned cleansing the hard way, namely by self-infection, also know as the procedure of self-infliction,

polonus


Sooner or later, his computer is going to get infected with something that can not be fixed.


Hi CharleyO,

The only way some will be educated, vitro stands in the hallway 8) together with malware all sorts, nice couple, don’t you think?

polonus

Location: C:\DOCUME~1\Donovan\LOCALS~1\Temp\MSI3CB.tmp
Name: MSI3CB.tmp
VirusTotal Results
Stats: Virus Not Detected By Avast,
Action: Will be moved to chest and sent to Alwil.

Location: C:\Documents and Settings\All Users.WINDOWS\Application Data\SeekappSrch\seekapp139.exe
Name: seekapp139.exe
VirusTotal Results
Stats: Possible False Positive
Action: Send to Alwil just in case.

Name: O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Statics: Known but removed from computer.
Action: Deleted

Name: O4 - HKLM..\RunOnce: [aero] RunDll32.exe shell32.dll,Control_RunDLL desk.cpl,2
Statics: My Windows Vista Cursor for XP.
Action: No Action

Thats all I can do so far. :wink:

I’ll try using ComodoFix to remove it!

Hi Donovansrb10,

So from now on we only give you an indication of what could be wrong or what not, the investigating, the malware cleansing etc. you have to do on your own. That is the best way to get organized.
One day in the future you will also turn to SafeHex, first just build your own convictions,

polonus

Used ComboFix but I fell asleep while it was cleaning. Where does it save the log?

Look for ComboFix.txt with the search function of your computer, you may find it that way,

polonus

I coulden’t find combofix.txt…

Look for log.txt then,

p

I only found this log.txt:

11:8:9.140 **************************

11:8:9.140 * P.L.F.S. *

11:8:9.140 * Polygon LogFile System *

11:8:9.140 * 2000 *

11:8:9.140 **************************

11:8:9.140

11:8:9.765 INFO: INFO: Begin Surface init

11:8:9.765 INFO: new SaianSound

11:8:10.109 INFO: READ: attenteZomb.anm

11:8:10.171 INFO: READ: attenteZomb2.anm

11:8:10.171 INFO: READ: pris.anm

11:8:10.218 INFO: READ: PitiZomb1.anm

11:8:10.280 INFO: READ: PitiZomb2.anm

11:8:10.296 INFO: READ: PitiZomb3.anm

11:8:10.640 INFO: Read to rumble

11:8:22.609 INFO: interface : 1

11:8:48.234 INFO: Queued Speech : sounds\ope11.6.wav

11:8:48.234 INFO: Queued Speech : sounds\zbv11.wav

11:9:16.609 INFO: CREDITS !!!

11:9:23.562

11:9:23.562 *******************

11:9:23.562 * PLFS terminated *

11:9:23.562 *******************

11:9:23.562

Hi d,

It should be in the folder where ComboFix is. Else you could run ComboFix again and publish that logfile txt here,

polonus

I’ll try running ComboFix again but it may have a error since a virus made me lose administrator stats…

Hope that ur problem will be fixed soon^^

God Bless u…

-AnimeLover^^

-= Boot into safemode & login as th user with the name Administrator… Then go to control panel & change your account type to Computer administrator… Reboot…

Whats the administrator password? ???

I think a while ago a virus removed my safemode.

I sense a re-install on the horizon.
Sorry to say, not very surprised.
I’d look at a full format and fresh install.
Maybe you can fix it, I don’t know. I certainly wouldn’t try at this point. You’ve borked it.

Don’t think able to remove Safe Mode. Check jumpers for starters. Begin and boot up of single HDD, your system drive - should be C:
Unclip the rest can add back on later. Sort out C:\ first.
Go cmos for setup when your computer posts, and check your IDE or SATA disks because you should be able to boot into Safe Mode. If you can’t, then the intrusion could be nasty.

Anything from logs yet?

After reading some of his threads i realized that he keeps getting infected time and time again. Will he ever learn ?

@Donovansrb10: Why are you asking us what the admin password is on your computer ? How are we supposed to know ? I am assuming you were able to get into safe mode if you are asking for the admin password ?

A combofix log would be nice.

BTW ComboFix log should be located at C:\ComboFix.txt …