new messenger virus!

[Mastershakes]

Wicked. One thing I'm still wondering though is how you are blocked from Symantec and such. That's what turned my attention to the host file, and the suspicious 'proxy server' noticed by Hijack This.

Good stuff Psy, glad to help. Learned more in the process

 

[Psyborg]

ok mastershakes, done some homework, and a program i messed around with a while back called multiproxy was the cause of the mysterious proxy server, which to use it, tells you to set the proxy to 127.0.0.1, and the port to 8088 to access the internet.

http://www.multiproxy.org/help.htm

i just never changed it back when i deleted the prog
___________________________________________________________

now, after following lancer's advice, i installed ewidos in safe mode and done a complete scan which came up with nothing, so i decided to do a housecall, which i hadnt expected to come up with anything, as i had already run it in normal mode, but it came up that i was infected with a virus called MUGLY.I,

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MUGLY.I
____________________________________________________________

so after googlin that, i came up with this:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41687

and an online scan detected the old hosts file, on my desktop as a textfile, as this:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39376

____________________________________________________________

some more googlin on removin mugly and i discovered symantec had no specific removal tool, so i tried a manual removal by followin their instructions, which turned up that neither the files, nor the registry entries, existed!!!
http://securityresponse.symantec.com/avcenter/venc/data/w32.mugly.h@mm.html

____________________________________________________________

least we know where the mysterious proxy came from, and how the hosts file was modified...

strange thing is, i dont even remember an e-mail like that...

however, i attached a few logs n stuff for ye to look at as my system stands now...

View attachment hijackthisold.txt View attachment hijackthisnew.txt View attachment startuplist.txt

 

[Mastershakes]

From Startuplist, here are my suspects:

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

http://startup.iamnotageek.com/srch-Shmgrate.exe.html - there's a trojan...

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

Looks like some sort of IE customization.... sketchy

Besides that, startuplist appears to check out... now looking at hijackthisnew.txt

EDIT: Hijackthisnew is clean.

 

[Psyborg]

hi mastershakes, any chance that this is my ISP branding IE? like they haven't but thats all comes to mind? and thanks for all ur research aswel, much appreciated and much learned

and last nite i recovered my real, proper registry editor. i was temporarily using the copy from dougknox.com, but typing "regedit" in the run dialog box used come up as just a dos box, so i dun a bit more research and copped that it was a file called "regedit.com" that was coming up instead of regedit.exe. so i saw the commandline in the title bar and followed it in windows explorer, then deleted regedit.com, et voila