This virus did something to my computer bad. I can’t see my taskbar icons near the clock now and I’m kinda worried. I think it’s removed but is there some other fixes. I’ll check back in the morning.
Thanks
click on the link in my signature and follow the instructions in the malware removal section. After doing so, come back here and let us know if you have problems.
Also had WinIogon (notice the “I” “eye” that is not L) on my computer with this virus. I accidentally downloaded it trying to get a game patched. I have run hijack this, ad-aware, spybot and deleted all references to it with a search of harddrive.
My computer still seems buggy.
At first it was restarting my computer after 1 minute warning, but not now. And my taskbar notification area is blanked out and inaccessible at the moment. I can’t customize it either when I right click. Only the clock shows now, and I don’t think the taskbar icons there are working.
I heard the WinIogon is a “backdoor” password getting thing so I’m pretty worried.
At first it was restarting my computer after 1 minute warningThat is a strong indication for the infection of the system with the blaster/sasser worm.
Perform a in-place-repair of Windows
url=http://support.microsoft.com/default.aspx?scid=kb;EN-US;315341[/url]
After Windows is working again, immediatly visit the MS update website and keep going there till ALL security patches/fixes are installed.
(Windows update)
If you have MS-Office installed, do the same for office from that website.
repeat post…
I heard the WinIogon is a "backdoor" password getting thing so I'm pretty worried.
In that case, make sure you windows is up to date via Windows update and change all your passwords.
Also can you post your Hijackthis log here so we can check your system is clean.
Also run an anti-virus, such as Avast Anti-virus, and you may want to check your computer with an Online one as well (can get from Eddy’s Signature)
Only the clock shows now, and I don't think the taskbar icons there are working.
What icons are they?
–lee
EDIT: Opps beat me to it Eddy
If I do the in-place-repair of Windows will I lose all my installed programs? I have fix-blast program and tried to run in and it stalled. I’ll try to run it again.
Avast said that svchost was the infected file with the Iroffer trojan, and I notice in the Hijack log there are multiple entries.
Here’s my Hijack log:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\RingCentral\BuzMe\RCUI.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Desktop\SpywareUtilities\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [EZNXP] C:\PROGRA~1\EZN\EVERYO~1\eznorun.exe
O4 - HKCU..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: BuzMe.lnk = C:\Program Files\RingCentral\BuzMe\RCUI.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092969660908
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O17 - HKLM\System\CCS\Services\Tcpip..{4D02352B-6B68-4E37-B321-4A0336A2B334}: NameServer = 209.63.0.6 207.173.86.6
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
I found a tool here that repaired my taskbar problem:
If I do the in-place-repair of Windows will I lose all my installed programs?
No.
These are the results from Eddys Hijackthis Analyser:
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
o16 - dpf: yahoo! dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
o16 - dpf: yahoo! gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
o16 - dpf: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (yinststarter class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
o16 - dpf: {3fe16c08-d6a7-4133-84fc-d5bfb4f7d886} (webgameloader class) - http://zone.msn.com/bingame/rtlw/default/reflexivewebgameloader.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/quicktimeinstaller.exe
o16 - dpf: {4c39376e-fa9d-4349-bacc-d305c1750ef3} (epuimagecontrol class) - http://tools.ebayimg.com/eps/wl/activex/epuwalcontrol_v1-0-3-17.cab
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1092969660908
o16 - dpf: {a17e30c4-a9ba-11d4-8673-60db54c10000} (yahooymailto class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
o16 - dpf: {a3009861-330c-4e10-822b-39d16ec8829d} (cravonline object) - http://www.ravantivirus.com/scan/ravonline.cab
o16 - dpf: {bac01377-73dd-4796-854d-2a8997e3d68a} (yahoo! photos easy upload tool class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
Nothing found.
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
o4 - hkcu..\run: [ie new window maximizer] c:\program files\ie new window maximizer\iemaximizer.exe
And just for futer refference you need to post the whole log so we can help fully you missed the top part of your log ou when you posted it, it would look similar to the part quoted below:
Logfile of HijackThis v1.99.0 Scan saved at 21:33:45, on 05/01/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
But nothing in your log if anything to do with a trojan (that i can see anyway, but Eddys the expert)
Does avast still detect the trojan?, if so does doing a boot-time scan work?
Have you changedyour passwords yet and done all windows updates?
–lee
But nothing in your log if anything to do with a trojan (that i can see anyway, but Eddys the expert)
Does avast still detect the trojan? No
if so does doing a boot-time scan work? Did that, looks ok now
Have you changedyour passwords yet and done all windows updates?
Yes
I think everything is Ok now, thanks for the help.
Just got a warning that its back ???
svchost infected with Win32:Iroffer-003 again
have you tried any online scan?
do you have the path to the trojan?
Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.
I did boot time scan, but it didn’t find it. I did online scan with RAV and it found it in system32. I went ahead and deleted some of the most recent created files in system32 that seemed related to the virus and some others. I hope that gets it, for now it’s gone again anyway.
This is not safe.
Better is manually add them to Chest.
What were your boot time scanning settings? Did you ask to scan archives?
I think he found them with the RAV scan which would have made chest a bit difficult . Pity he couldn,t send a copy to avast!
Iroffer back again…
Did a thourogh scan with avast of the affected areas and it came up with this…
C:\WINDOWS\SYSTEM32\winiogon.exe[UPX]
But it showed an error when I tried to move, chest, delete, scan and was unable to do any of these things.
Help ???