Please follow all of that set of instructions in my last post.
Help Ive been Hacked !
Started by
Naranjo99
, Nov 18 2006 03:35 AM
-
This topic is locked
#31
Posted 20 November 2006 - 06:56 AM
Octagonal
-
- Member
-
- 2,528 posts
Member 2k
Please follow all of that set of instructions in my last post.
#32
Posted 20 November 2006 - 08:14 AM
Naranjo99
- Topic Starter
-
- Member
-
- 30 posts
Member
Hiya,
I just ran the "FIleFind " for jaeetua.exe in C and D drives. and it found nothing..
should I continue on to Kasperski ?
Here is the AVG scan result:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:33:51 AM 11/20/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{39f25b12-74ff-4079-a51f-1d70f5b08b84} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39f25b12-74ff-4079-a51f-1d70f5b08b84} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-602162358-1454471165-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F25B12-74FF-4079-A51F-1D70F5B08B84} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AD92CD6-171A-45FB-9EBC-5535A28846A0}\RP2\A0004040.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvsap.dll -> Not-A-Virus.Hoax.Win32.Renos.ge : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@zedo[3].txt -> TrackingCookie.Zedo : Cleaned.
::Report end
Ed-
I just ran the "FIleFind " for jaeetua.exe in C and D drives. and it found nothing..
should I continue on to Kasperski ?
Here is the AVG scan result:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:33:51 AM 11/20/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{39f25b12-74ff-4079-a51f-1d70f5b08b84} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39f25b12-74ff-4079-a51f-1d70f5b08b84} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-602162358-1454471165-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F25B12-74FF-4079-A51F-1D70F5B08B84} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AD92CD6-171A-45FB-9EBC-5535A28846A0}\RP2\A0004040.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvsap.dll -> Not-A-Virus.Hoax.Win32.Renos.ge : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@zedo[3].txt -> TrackingCookie.Zedo : Cleaned.
::Report end
Ed-
#33
Posted 20 November 2006 - 08:34 AM
Naranjo99
- Topic Starter
-
- Member
-
- 30 posts
Member
I just tried Kaspersky ..
It isnt working for some reason..
I am allowing it to DL the ActiveX but It doesnt activate..
I've tried several times.. I dont have the Beta version mentioned on the page that would prevent it from working correctly so I dont know what the problem might be ..
Ed-
It isnt working for some reason..
I am allowing it to DL the ActiveX but It doesnt activate..
I've tried several times.. I dont have the Beta version mentioned on the page that would prevent it from working correctly so I dont know what the problem might be ..
Ed-
#34
Posted 20 November 2006 - 01:38 PM
Octagonal
-
- Member
-
- 2,528 posts
Member 2k
Hi ,
If you cannot get Kaspersky to work then use this one.
Please go HERE to run Panda's ActiveScan
Once again you will have to use Internet Explorer for this as it uses Actice X.
Thanks.
If you cannot get Kaspersky to work then use this one.
Please go HERE to run Panda's ActiveScan
Once again you will have to use Internet Explorer for this as it uses Actice X.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Thanks.
#35
Posted 20 November 2006 - 10:51 PM
Naranjo99
- Topic Starter
-
- Member
-
- 30 posts
Member
Hello,
here is the Panda report:
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\hjpxolfu.dll
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@adtech[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@bluestreak[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@casalemedia[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\zlob remover\smitRem.exe[smitRem/Process.exe]
Possible Virus. Not disinfected C:\Program Files\Dialog\DialogLink\DLinkRegister.exe
Possible Virus. Not disinfected C:\VundoFix Backups\awtsp.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lujxolah.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ourkfrjw.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
----------------------------------------------------------------------------------------------
Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 11:46:43 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HjackThis\analysethis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....erify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jaeetua.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {9FCA9920-5B00-49F5-92E9-7B31BEAE452A} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\yecqlulm.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1143839248783
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161425030510
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
Many of the worst symtoms are gone now!
Pop-Ups are gone
Safe Mode Works
Computer runs ess sluggishy. Boots on and off more normally..
In General much Better !!!
Questions:
Do you think Someone was remotey controlling my computer ?
Ifso to what degreee..
THe guest Account that appeared scared me alot .. could that have been created by Windows OneCare or was that an attack of some sort ?
thanks ALOT !
Ed-
here is the Panda report:
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\hjpxolfu.dll
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@adtech[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@bluestreak[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@casalemedia[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\[email protected][2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\zlob remover\smitRem.exe[smitRem/Process.exe]
Possible Virus. Not disinfected C:\Program Files\Dialog\DialogLink\DLinkRegister.exe
Possible Virus. Not disinfected C:\VundoFix Backups\awtsp.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lujxolah.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ourkfrjw.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
----------------------------------------------------------------------------------------------
Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 11:46:43 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HjackThis\analysethis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....erify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jaeetua.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {9FCA9920-5B00-49F5-92E9-7B31BEAE452A} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\yecqlulm.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1143839248783
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161425030510
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
Many of the worst symtoms are gone now!
Pop-Ups are gone
Safe Mode Works
Computer runs ess sluggishy. Boots on and off more normally..
In General much Better !!!
Questions:
Do you think Someone was remotey controlling my computer ?
Ifso to what degreee..
THe guest Account that appeared scared me alot .. could that have been created by Windows OneCare or was that an attack of some sort ?
thanks ALOT !
Ed-
#36
Posted 21 November 2006 - 02:38 AM
Octagonal
-
- Member
-
- 2,528 posts
Member 2k
Hi Naranjo99,
I don't know what exactly caused that extra account to be created. It may pay to change any passwords that you have just to make sure.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Go here to upload a suspicious file for analysis.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jaeetua.exe
O2 - BHO: (no name) - {9FCA9920-5B00-49F5-92E9-7B31BEAE452A} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\yecqlulm.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
Now close all windows other than HiJackThis (including any browser windows), then click Fix Checked.
Boot into Safe Mode: You can do this by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please double-click Killbox.exe to run it.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Perform another Panda Activescan and post the results so I can see if those nasty files stay deleted.
Post a fresh HijackThis log and let me know if you are still having problems.
Thanks.
I don't know what exactly caused that extra account to be created. It may pay to change any passwords that you have just to make sure.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Go here to upload a suspicious file for analysis.
- Enter your username from this forum
- Copy and paste the link to this thread
- Browse for this filename: C:\WINDOWS\system32\lujxolah.dll
C:\WINDOWS\system32\ourkfrjw.dll - In the comments, please mention that I asked you to upload this file
- Click on Send File
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jaeetua.exe
O2 - BHO: (no name) - {9FCA9920-5B00-49F5-92E9-7B31BEAE452A} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\yecqlulm.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
Now close all windows other than HiJackThis (including any browser windows), then click Fix Checked.
Boot into Safe Mode: You can do this by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please double-click Killbox.exe to run it.
- Select: Delete on Reboot then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\lujxolah.dll
C:\WINDOWS\system32\ourkfrjw.dll
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!)
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Perform another Panda Activescan and post the results so I can see if those nasty files stay deleted.
Post a fresh HijackThis log and let me know if you are still having problems.
Thanks.
#37
Posted 21 November 2006 - 06:20 AM
Naranjo99
- Topic Starter
-
- Member
-
- 30 posts
Member
I submitted the files...
I'l now perform Hijack this operation..
thanks,
Ed-
I'l now perform Hijack this operation..
thanks,
Ed-
#38
Posted 21 November 2006 - 11:02 AM
Naranjo99
- Topic Starter
-
- Member
-
- 30 posts
Member
Hi
here are the results..
Panda:
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\hjpxolfu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\lujxolah.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\ourkfrjw.dll
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\zlob remover\smitRem.exe[smitRem/Process.exe]
Possible Virus. Not disinfected C:\Program Files\Dialog\DialogLink\DLinkRegister.exe
Possible Virus. Not disinfected C:\VundoFix Backups\awtsp.dll.bad
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
---------------------------------------------------------------------------------------------------
Hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 11:58:57 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\HjackThis\analysethis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....erify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1143839248783
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161425030510
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
here are the results..
Panda:
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\hjpxolfu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\lujxolah.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\ourkfrjw.dll
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Cookies\administrator@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator.USER-EY35M5DWTN\Desktop\New Folder\zlob remover\smitRem.exe[smitRem/Process.exe]
Possible Virus. Not disinfected C:\Program Files\Dialog\DialogLink\DLinkRegister.exe
Possible Virus. Not disinfected C:\VundoFix Backups\awtsp.dll.bad
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
---------------------------------------------------------------------------------------------------
Hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 11:58:57 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\HjackThis\analysethis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....erify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1143839248783
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161425030510
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
#39
Posted 21 November 2006 - 01:37 PM
Octagonal
-
- Member
-
- 2,528 posts
Member 2k
Hi Naranjo99,
Congratulations. Your log appears to be clean.
We now need to re-hide some system files and folders.
ComboFix.exe and any associated logs
VundoFix.exe and C:\vundofix.txt
FixReg1.reg
FileFind.exe and C:\Export.txt
Killbox.exe and C:\!KillBox
Also remove the folder on your desktop that contains SmitfraudFix.zip and smitRem.exe
And reset your System Restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Keep Java updated and remember to remove older versions of Java when you update to a newer version to avoid exploitation of older versions left on your system.
Please follow these Tips to prevent a possible infection or re-infection.
Many computers become infected because of unpatched Operating Systems.
Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly.
Download, install AND update the following free programs. It is important to keep all anti-malware programs updated. Please update at least once a week.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
Congratulations. Your log appears to be clean.
We now need to re-hide some system files and folders.
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading place a checkmark next to Do Not Show hidden files and folders.
- Check the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
ComboFix.exe and any associated logs
VundoFix.exe and C:\vundofix.txt
FixReg1.reg
FileFind.exe and C:\Export.txt
Killbox.exe and C:\!KillBox
Also remove the folder on your desktop that contains SmitfraudFix.zip and smitRem.exe
And reset your System Restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Keep Java updated and remember to remove older versions of Java when you update to a newer version to avoid exploitation of older versions left on your system.
Please follow these Tips to prevent a possible infection or re-infection.
Many computers become infected because of unpatched Operating Systems.
Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly.
Download, install AND update the following free programs. It is important to keep all anti-malware programs updated. Please update at least once a week.
- Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
- AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
- SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
- SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
- IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
- CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
- Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
- Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
#40
Posted 21 November 2006 - 02:57 PM
Naranjo99
- Topic Starter
-
- Member
-
- 30 posts
Member
just a couple of questions. Are the remaining incidents being found by Panda anything to be concerned about ?
I am downoading ZoneAarm now -- I've heard of it -
Isnt the WIndows FIrewa I have sufficient ??
will Zone alarm conflict with any other program i have running like my windows firewall ??
and Finally ----
Thanks you very sincerely for al your help with this issue.. I obviousy coud not have done this without your help
In fact I'm still not very sure exactly what we did !!!
THANKS !!!!!
I am downoading ZoneAarm now -- I've heard of it -
Isnt the WIndows FIrewa I have sufficient ??
will Zone alarm conflict with any other program i have running like my windows firewall ??
and Finally ----
Thanks you very sincerely for al your help with this issue.. I obviousy coud not have done this without your help
In fact I'm still not very sure exactly what we did !!!
THANKS !!!!!
#41
Posted 22 November 2006 - 04:10 AM
Octagonal
-
- Member
-
- 2,528 posts
Member 2k
Hi Naranjo99,
First of all the Panda log that you posted in your first post contained mainly cookies in which were taken care of when you ran ATF-Cleaner. The only other infection in that log was the drvsap.dll file where AVG Anti-Spyware took care of this in the course of doing the cleaning. Process.exe also showed in that log but was part of the SmitRem removal tool and was ok to leave alone.
From analysing your HijackThis log and studying the ComboFix log I could see several other infections that were present on your system and dealt with them accordingly.
I strongly suggest using a third party dedicated firewall on your computer. Simply put, by doing this you have more control of what is and isn't allowed access to and from your computer. It is perfectly ok to install ZoneAlarm, when it is installed Windows will automatically detect it and disable its own firewall and let ZoneAlarm take care of things. Just be sure to disable any of ZoneAlarms own anti-virus protection. I am sure that your installation of Nortons will do just fine and this will also negate any possible conflicts. You could probably run an on-line anti-virus scanner from Panda or Kaspersky every now and then just to make sure that any nasty files aren't hiding in there somewhere.
You may find this tutorial of some use.
Be carefull and safe surfing.
First of all the Panda log that you posted in your first post contained mainly cookies in which were taken care of when you ran ATF-Cleaner. The only other infection in that log was the drvsap.dll file where AVG Anti-Spyware took care of this in the course of doing the cleaning. Process.exe also showed in that log but was part of the SmitRem removal tool and was ok to leave alone.
From analysing your HijackThis log and studying the ComboFix log I could see several other infections that were present on your system and dealt with them accordingly.
I strongly suggest using a third party dedicated firewall on your computer. Simply put, by doing this you have more control of what is and isn't allowed access to and from your computer. It is perfectly ok to install ZoneAlarm, when it is installed Windows will automatically detect it and disable its own firewall and let ZoneAlarm take care of things. Just be sure to disable any of ZoneAlarms own anti-virus protection. I am sure that your installation of Nortons will do just fine and this will also negate any possible conflicts. You could probably run an on-line anti-virus scanner from Panda or Kaspersky every now and then just to make sure that any nasty files aren't hiding in there somewhere.
You may find this tutorial of some use.
Be carefull and safe surfing.
#42
Posted 23 November 2006 - 02:51 AM
Octagonal
-
- Member
-
- 2,528 posts
Member 2k
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
