Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Your privacy data is in danger [CLOSED]

Started by J0k3r4o , Jul 05 2008 04:15 PM

This topic is locked

#1
J0k3r4o

Posted 05 July 2008 - 04:15 PM

New Member

Member
3 posts

Hi
pop up window showed for updating ActiveX after the update completed on my desktop showed a wallpaper with hyperlink "YOUR PRIVACY DATA IS IN DANGER" with a Biohazard logo

so here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:12:49, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\sms\sms.exe
C:\Programs\Datecs\FlexType 2K\FType2K.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Explorer.exe
C:\Programs\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\explorer.exe
C:\Programs\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMS by Jeko Ianev] C:\Programs\sms\sms.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: FlexType 2K.lnk = C:\Programs\Datecs\FlexType 2K\FType2K.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Programs\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programs\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programs\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programs\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programs\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programs\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6369 bytes

HELP ME PLEASE!

#2
J0k3r4o

Posted 05 July 2008 - 04:21 PM

New Member

Topic Starter
Member
3 posts

SmitFraudFix v2.329

Scan done at 1:18:46.48, Ґ¤Ґ«ї 07/06/2008
Run from C:\Documents and Settings\Koko\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\sms\sms.exe
C:\Programs\Datecs\FlexType 2K\FType2K.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Explorer.exe
C:\Programs\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Koko\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Koko

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Koko\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Koko\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{41EFF7AE-1C75-425E-B26F-E73CB2C4A242}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{41EFF7AE-1C75-425E-B26F-E73CB2C4A242}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{41EFF7AE-1C75-425E-B26F-E73CB2C4A242}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{41EFF7AE-1C75-425E-B26F-E73CB2C4A242}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#3
J0k3r4o

Posted 05 July 2008 - 04:45 PM

New Member

Topic Starter
Member
3 posts

Malwarebytes' Anti-Malware 1.19
Database version: 899
Windows 5.1.2600 Service Pack 2

1:44:45 AM 7/6/2008
mbam-log-7-6-2008 (01-44-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 128857
Time elapsed: 51 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ljJDwXpQ.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\pmnmjggE.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f594f9b4-a70d-4e45-8de1-484474cf78b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f594f9b4-a70d-4e45-8de1-484474cf78b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1fe4bfc2-60db-461c-b734-1d40f120299a} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1fe4bfc2-60db-461c-b734-1d40f120299a} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnmjgge (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adware away v3.1.4.7_is1 (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\Source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1fe4bfc2-60db-461c-b734-1d40f120299a} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjdwxpq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjdwxpq -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ljJDwXpQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\QpXwDJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\QpXwDJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Uninstall.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Update.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\User Manual.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnmjggE.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\Koko\Desktop\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.

#4
Rorschach112

Posted 06 July 2008 - 05:53 PM

Ralphie

Retired Staff
47,710 posts

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#5
Rorschach112

Posted 13 July 2008 - 05:27 PM

Ralphie

Retired Staff
47,710 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.