Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Various Investations (inc recurring Virtumonde & Smitfraud)

Started by StripeyUnited , Jan 31 2007 05:07 PM

  • This topic is locked This topic is locked

#16
Kenny94
Posted 02 February 2007 - 03:48 AM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello StripeyUnited

Sorry to have more dumb questions, but hopefully I can avoid making a mess of things if I don't do something stupid from not asking the questions!

That's alright to ask. And you will not mess things up with these two programs. :whistling:

Go to http://www.java.com/...load/manual.jsp and click the first download link that says "Windows (Online Installation) (see below Note)
(filesize: ~7.1MB)" and click run and let it install.

ATF Cleaner. Go ahead and click on "main" and then select all and click Empty Selected button. Do the same thing with "Firefox" this will clean your computer of temp files and and so forth.

With that done, please post back with a fresh HiJackThis log. Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.
  • 0

Advertisements

#17
StripeyUnited
Posted 02 February 2007 - 02:36 PM

StripeyUnited

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Kenny :blink:

I did jump the gun on the Java stuff and delete the files before I rebooted (and again once I'd rebooted). So I hope that's not going to be a problem.

Once I got the ATF cleaner open, the rest of the instructions suddenly made sense! Thanks for your reassurance about that.

I do have another question. I have been doing all this on my profile in normal. I have an admin profile which is only accessible in safe mode (which I've not encountered before because someone rebuilt my computer for me last year when the hard drive got fried). Should I also be carrying out diagnostics on that as well, or should it be ok if it's only accessible in safe mode?

I have another concern now! I no longer see the G2G site in the same way as before. A substantial amount of the functionality and layout has gone (eg: smilies can't be used, and I have to type in the code for underscore, bold etc) Is this because I cocked up the Java update? Worried now :whistling:

Panic over - I cleared the cache on my browser and it seems to have sorted the problem out.

Please see below my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 20:30:27, on 02/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Geek.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160597149880
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EDD4B14-54F4-4B80-8C79-92BB9796CA01}: NameServer = 80.189.92.2 80.189.94.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Edited by StripeyUnited, 02 February 2007 - 02:45 PM.

  • 0

#18
Kenny94
Posted 02 February 2007 - 06:08 PM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello StripeyUnited

I have an admin profile which is only accessible in safe mode (which I've not encountered before because someone rebuilt my computer for me last year when the hard drive got fried). Should I also be carrying out diagnostics on that as well, or should it be ok if it's only accessible in safe mode?

Your are fine and your infections were removed. And now you have the latest version of java in your log. :blink:

Congratulations, your log looks clean.. :whistling:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop

Some final items:

Important, we need to flush out all System Restore points.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#19
StripeyUnited
Posted 03 February 2007 - 06:30 AM

StripeyUnited

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
:whistling: :blink: :help:

Hi Kenny

And many thanks for all your help and patience with my sometimes very ignorant questions!

I've re-set my restore points.

I've already got some of the products you've recommended and will look to add the others.

Can you advise what I should do with all the things I downloaded in order to sort out the problems I've had (eg: killbox, vundofix)? I imagine these evolve so will be out of date if I have another problem in the future. Possibly the same will be true of Hijack This...?

I had the setup element of something called SpywareBot, but I've deleted that. Was that nasty or ok?

Also, what was the nature of the stuff I have now cleaned off my computer with your help? Just so I know if I should be changing passwords as a precautionary measure.

Needless to say, I will be recommending your site and help to any of my friends who encounter problems on their computers!

Adding in some of your recommended protection I've some more questions! Sorry!

Firefox blocks download from Siteadvisor, by the way, is that still ok to download?
Which version of IE-Spyad should I be selecting. I can't really see which one is the one I should have.
I downloaded Windows Defender, but I've disabled it completely - should I have some parts of it disabled (I know I need to keep the realtime bit disabled as it would conflict with NOD32) but some of it running?

Edited by StripeyUnited, 03 February 2007 - 06:48 AM.

  • 0

#20
Kenny94
Posted 03 February 2007 - 08:27 AM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello StripeyUnited

And many thanks for all your help and patience with my sometimes very ignorant questions!

You're Welcome

Firefox blocks download from Siteadvisor, by the way, is that still ok to download?
Which version of IE-Spyad should I be selecting. I can't really see which one is the one I should have.
I downloaded Windows Defender, but I've disabled it completely - should I have some parts of it disabled (I know I need to keep the realtime bit disabled as it would conflict with NOD32) but some of it running?


It's OK to download Siteadvisor. There's one for Firefox at: http://www.siteadvis...ownload/ff.html

Download IE-SPYAD (original) Go ahead and enable Windows Defender. You had the Vundo trojan visit: http://en.wikipedia.org/wiki/Vundo

You can delete killbox and vundofix, but keep the ATF cleaner it's a great cleaner and it's safe to use.... :whistling:

Stay away from SpywareBot Visit: http://www.spywarewa...nti-spyware.htm
  • 0

#21
StripeyUnited
Posted 03 February 2007 - 09:49 AM

StripeyUnited

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks, Kenny!

I think I'm all sorted out now. Hopefully that's everything done now!

:whistling:
  • 0

#22
Kenny94
Posted 03 February 2007 - 09:57 AM

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
That's great StripeyUnited! It has been a pleasure working with you. :whistling:

I'll ask a Moderator to mark this thread resolved.
  • 0

#23
OwNt
Posted 03 February 2007 - 04:05 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP