Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help webbuying [RESOLVED]


  • This topic is locked This topic is locked

#16
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please navigate to and delete the following bak-folder:

C:\Program Files\QuickTime\bak

Then, * Now, in FindAWF, select option 4 and enter.
When done, Press E then Enter to EXIT.

Copy and paste a new HijackThislog in your next reply.
  • 0

Advertisements


#17
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:35 PM, on 2/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Documents and Settings\Owner\Desktop\slsk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
  • 0

#18
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
my anti virus just found this TR/Dldr.VB.VLG.36 searched it on the web and found nothing on it.
  • 0

#19
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Check and fix next entry in HijackThis:

O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

This is a leftover from Vundofix and not needed to startup with Windows anymore.

Then reboot.

After reboot, go to start > run and copy and paste next command in the field:

sc delete VundoFixSvc

Hit enter

my anti virus just found this TR/Dldr.VB.VLG.36 searched it on the web and found nothing on it.

Yes, that's possible and it's most probably flagging the files present in the C:\Qoobox folder which is the backup/quarantine folder of Combofix.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, as a final check..

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.
  • 0

#20
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant2.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant2.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MySpace\IM\Logs\MySpaceIM-20080222-083730.log Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MySpace\IM\SkypeCache\myspace#3acokane_88\call256.dbb Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MySpace\IM\SkypeCache\myspace#3acokane_88\callmember256.dbb Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MySpace\IM\SkypeCache\myspace#3acokane_88\contactgroup256.dbb Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MySpace\IM\SkypeCache\myspace#3acokane_88\index2.dat Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MySpace\IM\SkypeCache\myspace#3acokane_88\profile256.dbb Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MySpace\IM\SkypeCache\myspace#3acokane_88\user1024.dbb Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MySpace\IM\SkypeCache\myspace#3acokane_88\user256.dbb Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF3D82.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{EDAF3163-403F-40F6-AC1F-D07563A12755}\RP5\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\PAL\KLP\explorer.exe Infected: not-a-virus:Monitor.Win32.KeyLog.32 skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped
  • 0

#21
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Is this the complete scan report? Because I am missing the header and the footer.

Also, are you aware that PAL KeylogPro is installed? Did you install it? If not, uninstall it via software > add/remove programs.
Reboot afterwards.
After reboot, navigate to and delete the C:\WINDOWS\system32\PAL\KLP - folder if still present.

Let me know afterwards how things are now.

Edited by miekiemoes, 22 February 2008 - 10:17 AM.

  • 0

#22
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
i did not no there was a key logger. my wife might have installed it she seems to all ways be spying on me. i kinda hope it was her if it was some one else thats a bad sign. i checked the dates on some of the files in the folder and they were 2003 could that be when it was in stalled or just the dates from when it was made.

the instructions for the kaspersky did not really match what was on the website. but i did scan my computer sections and thats what i got from it.
  • 0

#23
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, this keylogger was installed by someone - it won't install itself automatically. So yes, it would be most probably your wife. :)

Anyway, how are things now?
  • 0

#24
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
i think every thing is fine. have not had any problems in a few days. i guess we can call this resloved thanks again.
  • 0

#25
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

Advertisements


#26
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP