Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

No firewall over two weeks,lots of maleware!


  • Please log in to reply

#16
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Hello are you there?
Everything went great. Except panda active x would not download. I used IE but still nothing. I even tried turning my firewall off.
Sleeples in ny
Classy
  • 0

Advertisements


#17
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Some people have trouble running that scan . No problem...lets go a different route

Download and install CleanUp! Here
but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

update ewido to the latest definition files

1.On the left hand side of the main screen click update.
2.Then click on Start Update.
3.The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
4.Close Ewido

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0015.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program

Now open Ewido
:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

please post back with how things went as well as a new Hijack log and the Ewido log

Thanks .

I am going to bed and will respond tomorrow :tazz:

Edited by loophole, 29 October 2005 - 12:23 AM.

  • 0

#18
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Will ewido reinstall new info or must I do a complete UNinstall?
  • 0

#19
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Just follow my directions. You dont need to uninstall it. Just update it. Ewido is a free trial. If your free trial is up you wont be able to update it....in that case just skip the updating and proceed with the directions :tazz:
  • 0

#20
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
good afternoon :tazz:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:16:51 PM, 10/29/2005
+ Report-Checksum: 20E0FEA2

+ Scan result:
:mozilla.7:C:\Documents and Settings\Cuddles\Application Data\Mozilla\Firefox\Profiles\iqj3o8om.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Cuddles\Application Data\Mozilla\Firefox\Profiles\iqj3o8om.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Cuddles\Application Data\Mozilla\Firefox\Profiles\iqj3o8om.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning
C:\Program Files\InetGet2\goldenInstaller.exe -> Spyware.Maxifiles : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:20:46 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = yes
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120884224343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius....tiveXPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

I also ran "Cleanup"
  • 0

#21
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
How is the system running now?
  • 0

#22
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Sorry didnt get back to you right away. I was researching the Toj system 32.dll\gui. It grows everytime I reboot and its a "high threat" All my saved sites on delete resitant maleware is my registry. "Maxifiles" is one of many that resist being deleted.
I also have "lsass" in my startup reseaerch says is a growing threat. I ran CCleaner and Cleanup.
Can you reccommend a shareware program that is a resident program.
The problem im having with my computer is Im l,ogged it as; "Admistrator1" however, an Unoffical, unlisted as user "Admistrator1.CUDDLES.000" Why diid it add this user and give it Administive powers?
I feel invaded and someone else is using my computer.
I am sure these trojans are the culprit.
I want a program that will make closing my ports easy and controlable for me.h.
Im asking for alot because these people know the vulnerable comnputers.. ports, making it discouraging
not worth thier time!
Classy
  • 0

#23
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Something technical for you to look at. If you look at thge other ewido log, you'll see the same trojans are there again.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:29:22 PM, 10/30/2005
+ Report-Checksum: 7BE5C059

+ Scan result:

C:\Documents and Settings\Corey\Cookies\corey@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\WINDOWS\system32\mc-67-525-0000166.exe -> Adware.Maxifiles : Cleaned with backup


::Report End
  • 0

#24
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
The cookies are fine and no big deal. One of the files ewido had an error while cleaning last time but cleaned it this time and the other is a backup that hijack made. Admistrator1.CUDDLES.000" is a user profile. I assume your computer name is cuddles, if it is then this is correct.

Are you still having problems?
  • 0

#25
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Yes Im still having problems. The ''Favorites'' I added on one night are gone the next. Why?
Applications I open tells me theres no correct path. Every phone number I need is in this application.
Im an offical User, but when I gol on Miccrosoft update it says only administrators can perform changes i.e. downloads.
  • 0

Advertisements


#26
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
No, the OFFICAL USERS are Administrator1, Administrator

UNoffically....NOT A LOGIN USER...= Administrator1.CUDDLES.000, Administrator1.CUDDLES.
The DNS folder you told me to delete, came back.
  • 0

#27
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Who told you to run CCcleaner? Thats probably where your favorites went where

Applications I open tells me theres no correct path. Every phone number I need is in this application.

What Application?

UNoffically....NOT A LOGIN USER...= Administrator1.CUDDLES.000, Administrator1.CUDDLES.

If you want to log in as administrator log in as administrator ,Im not sure what you are trying to say. How many people use this machine. I see nothing wrong with the above


Post a new Hijack log

Edited by loophole, 30 October 2005 - 11:19 PM.

  • 0

#28
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
The problem is with ALL aplications when i right click on ''properties;
the path is ...Doc & Set...Administrator1.CUDDLES. or Administrator1.CUDDLES.OOO. This is an UNoffical User that was added by itself. Even tho im LOGGED IN as "Admistrator1"

The OFFICAL USERS ARE;;
Administrator1
Corey
Cuddles
All Users
Default user

Users that just appeared from no where like Administraor1.CUDDLES.000, How did this user
get admistrator powers? And how do I correct the paths to my applications thats looking temp file to iniate the application? Its almost the offical users are ignored.

My hotmail account asked me to fill out a net.passport beccause my crediandials did not exist!!

Did you know this all started when I couldnt get on the internet, niether firefocx noe IE connected.
In the address bar it said, res:....DNSERROR.html. Which on a friends computer is suggested to download a winsock program to get me to a working registry.
And here I am. HJT is in the next post.
  • 0

#29
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
I just found ALL my FAVORITES under Doc & Set...........Administrator1.CUDDLES. How do I use my favorites when its not an User Account. If I added one under Users Acount will it make a second user with the same name? Coping nor moving the files worked. I exported it from firefox but nothing.

Heres my HJT.Log

Logfile of HijackThis v1.99.1
Scan saved at 8:16:34 AM, on 10/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120884224343
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius....tiveXPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#30
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
What account do you log in under? It appears you have created a new user account or your computer is grabbing the wrong user account or you copy and pasted the wrong user accout. To truly copy the documents and settings folder you have to do it in safemode then view hidden files and folders then copy everything including the NTuserdat.log which is crucial. All of the ...Administrator1.CUDDLES. or Administrator1.CUDDLES.OOO.. are all user accounts and nothing bad and very normal. Let me Know exactly what you wish to do and I can help you.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP