Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

c:\secure32.html


  • This topic is locked This topic is locked
11 replies to this topic

#1 madmidgy

madmidgy

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 23 May 2006 - 09:54 AM

hi there just joined the forum been looking around it looks great and useful, i have a problem in that my home page has been hijacked with "c:\secure32.html" and cant seem to get rid of it i have run avg in safe mode and spybot s&d but still cant seem to get rid of it so i have run hjt and here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 16:37:51, on 23/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\pegcnt.exe
C:\Program Files\Symantec\GhostStartTrayApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SoftDisc\softdisc.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
G:\Winamp\winampa.exe
G:\Program Files\BearShare\BearShare.exe
C:\Program Files\kekltmx.exe
C:\windows\system32\taskmgn.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Symantec\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\DazzlingEvents\DazzlingEvents.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brians1\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Retek UK Ltd
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [System_Messages] C:\WINDOWS\System32\pegcnt.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [pFnh36W] arpni11.exe
O4 - HKLM\..\Run: [SoftDisc] "C:\Program Files\SoftDisc\softdisc.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] G:\Winamp\winampa.exe
O4 - HKLM\..\Run: [BearShare] "G:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SysTray] C:\Program Files\kekltmx.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yo4nRWa4X] amsaddin.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Startup: Dazzling Events.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxdm824YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.registration.sonystyle-europe.com (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...=3DDemo_Servers
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.3.3.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://ispe.sdc.hp.c...DiagManager.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://192.168.0.50/activex/AMC.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.c...er/IbmEgath.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: dvb03a - C:\WINDOWS\SYSTEM32\dvb03a.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

any help would be greatly appreciated
i hope i have went through the correct channels here if not i apologise in advance
cheers

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 24 May 2006 - 12:11 PM

Hello madmidgy and Welcome to TomCoyote,

I am sorry but I must inform you that you have a nasty infection along with some others. I wanted to warn you before we take additional time to fix your system. You should consider formatting and reinstalling.

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
http://www.sophos.co...rojtorpigc.html

The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.
The Trojan downloads and executes additional files from a remote site. Configuration files may also be downloaded which define further behaviors.
Troj/Torpig-C automatically closes security warning messages displayed by common anti-virus and security related applications.

I urge you to protect your personal information

Do not use this system for any transactions until you are clean.

Here are a couple of links which may provide you with additional valuable information:
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451


If You do any online banking, ebay/paypal purchases, any other sensitive online transactions...:

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Please let me know if you intend to format and reinstall. The problem is that even if we help you clean off the the malware, we do not know what changes may have been made to your system to compromise it. Otherwise I will do my best to help you remove the malware.

Sincerely,

Susan
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 madmidgy

madmidgy

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 25 May 2006 - 04:23 AM

Thank you for that susan i think ill go ahead and erase my hdd rather than format it to be on safe side can i back anything up or would that that possibly get infected to would appreciate if you could reply asap as this is a works pc thanking you once again

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 25 May 2006 - 06:33 PM

i think ill go ahead and erase my hdd rather than format it to be on safe side can i back anything up or would that that possibly get infected to would appreciate if you could reply asap as this is a works pc


Just formatting the hdd may leave some data so if you want to erase the data too, that would be even better. By erasing I am referring to using special applications that would overwrite data and make it unreadable/unrecoverable.

If you back up data, there is a chance that it may be infected. The more data you would back up, the odds (whatever they are) would increase for having infected data. You should scan the backups to try to detect infections. Using different scanners (minimal of at least three) would help since scanners may vary on detection of infections.

Some online scanners:
TrendMicro HouseCall:
http://uk.trendmicro...call_launch.php

Panda ActiveScan:
http://www.pandasoft.../activescan.htm

Kaspersky Online Scanner (using Internet Explorer):
http://www.kaspersky.com/virusscanner

BitDefender:
http://www.bitdefender.com/scan8/

If you have any questions or comments, do not hesitate to post back.

Edited by Susan528, 25 May 2006 - 06:51 PM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 madmidgy

madmidgy

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 26 May 2006 - 01:58 AM

thanks again susan i went ahead and erased the hard drive and have it all set up again thank u

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 26 May 2006 - 03:49 AM

You are welcome! Glad you have it up again. Please post (reply) with another hijackthis log and let's take a look.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 madmidgy

madmidgy

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 26 May 2006 - 03:57 AM

ok susan i did this one 5 mins ago Logfile of HijackThis v1.99.1 Scan saved at 10:51:38, on 26/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\D-Tools\daemon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\brians12\Desktop\New Folder\HijackThis.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe thanks again

#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 26 May 2006 - 01:55 PM

Hello madmidgy,

Your hijackthis log appears to be clean. Let's just do a couple of my favorite scans. You do not appear to have firewall application installed so I assume you must be relying on the Windows XP firewall. There are firewall applications that can be downloaded and installed for free for personal use.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

STEP 1.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here
  • Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so.
    (This may take several minutes)
  • Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
  • Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
  • When the sweep has finished, click Remove. Click Select All and then Next
  • From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
  • Exit Spy Sweeper.

STEP 2.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Empty Recycle Bin
Reboot

Please post the results from SpySweeper, ewido and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 madmidgy

madmidgy

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 01 June 2006 - 01:59 AM

hi susan sorry i took a bot of time on getting back here are my logs SPYSWEEPER 09:29: | Start of Session, 30 May 2006 | 09:29: Spy Sweeper started 09:29: Sweep initiated using definitions version 686 09:29: Starting Memory Sweep 09:32: Memory Sweep Complete, Elapsed Time: 00:02:59 09:32: Starting Registry Sweep 09:32: Registry Sweep Complete, Elapsed Time:00:00:06 09:32: Starting Cookie Sweep 09:32: Found Spy Cookie: yieldmanager cookie 09:32: brians12@ad.yieldmanager[1].txt (ID = 3751) 09:32: Found Spy Cookie: hbmediapro cookie 09:32: brians12@adopt.hbmediapro[2].txt (ID = 2768) 09:32: Found Spy Cookie: advertising cookie 09:32: brians12@advertising[1].txt (ID = 2175) 09:32: Found Spy Cookie: falkag cookie 09:32: brians12@as-us.falkag[1].txt (ID = 2650) 09:32: Found Spy Cookie: atlas dmt cookie 09:32: brians12@atdmt[2].txt (ID = 2253) 09:32: Found Spy Cookie: a cookie 09:32: brians12@a[1].txt (ID = 2027) 09:32: Found Spy Cookie: bluestreak cookie 09:32: brians12@bluestreak[1].txt (ID = 2314) 09:32: Found Spy Cookie: bravenet cookie 09:32: brians12@bravenet[1].txt (ID = 2322) 09:32: Found Spy Cookie: ru4 cookie 09:32: brians12@edge.ru4[2].txt (ID = 3269) 09:32: Found Spy Cookie: fastclick cookie 09:32: brians12@fastclick[2].txt (ID = 2651) 09:32: Found Spy Cookie: mediaplex cookie 09:32: brians12@mediaplex[1].txt (ID = 6442) 09:32: Found Spy Cookie: mp3downloadhq cookie 09:32: brians12@mp3downloadhq[1].txt (ID = 3014) 09:32: Found Spy Cookie: 2o7.net cookie 09:32: brians12@msnportal.112.2o7[1].txt (ID = 1958) 09:32: Found Spy Cookie: overture cookie 09:32: brians12@perf.overture[1].txt (ID = 3106) 09:32: Found Spy Cookie: questionmarket cookie 09:32: brians12@questionmarket[1].txt (ID = 3217) 09:32: brians12@sel.as-us.falkag[1].txt (ID = 2650) 09:32: Found Spy Cookie: serving-sys cookie 09:32: brians12@serving-sys[2].txt (ID = 3343) 09:32: Found Spy Cookie: sexlist cookie 09:32: brians12@sexlist[1].txt (ID = 3353) 09:32: Found Spy Cookie: statcounter cookie 09:32: brians12@statcounter[2].txt (ID = 3447) 09:32: Found Spy Cookie: touchclarity cookie 09:32: brians12@theaa.touchclarity[2].txt (ID = 3566) 09:32: Found Spy Cookie: tradedoubler cookie 09:32: brians12@tradedoubler[1].txt (ID = 3575) 09:32: Found Spy Cookie: tribalfusion cookie 09:32: brians12@tribalfusion[1].txt (ID = 3589) 09:32: Cookie Sweep Complete, Elapsed Time: 00:00:00 09:32: Starting File Sweep 09:41: File Sweep Complete, Elapsed Time: 00:09:17 09:41: Full Sweep has completed. Elapsed time 00:12:27 09:41: Traces Found: 22 09:45: Removal process initiated 09:45: Quarantining All Traces: 2o7.net cookie 09:45: Quarantining All Traces: a cookie 09:45: Quarantining All Traces: advertising cookie 09:45: Quarantining All Traces: atlas dmt cookie 09:45: Quarantining All Traces: bluestreak cookie 09:45: Quarantining All Traces: bravenet cookie 09:45: Quarantining All Traces: falkag cookie 09:45: Quarantining All Traces: fastclick cookie 09:45: Quarantining All Traces: hbmediapro cookie 09:45: Quarantining All Traces: mediaplex cookie 09:45: Quarantining All Traces: mp3downloadhq cookie 09:45: Quarantining All Traces: overture cookie 09:45: Quarantining All Traces: questionmarket cookie 09:45: Quarantining All Traces: ru4 cookie 09:45: Quarantining All Traces: serving-sys cookie 09:45: Quarantining All Traces: sexlist cookie 09:45: Quarantining All Traces: statcounter cookie 09:45: Quarantining All Traces: touchclarity cookie 09:45: Quarantining All Traces: tradedoubler cookie 09:45: Quarantining All Traces: tribalfusion cookie 09:45: Quarantining All Traces: yieldmanager cookie 09:45: Removal process completed. Elapsed time 00:00:04 ******** 09:19: | Start of Session, 30 May 2006 | 09:19: Spy Sweeper started 09:21: Your spyware definitions have been updated. 09:29: | End of Session, 30 May 2006 | EWIDO + Created on: 16:49:57, 30/05/2006 + Report-Checksum: DA203F76 + Scan result: C:\Documents and Settings\brians12\Cookies\brians12@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@ehg-ati.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup C:\Documents and Settings\brians12\Cookies\brians12@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup ::Report End THANKS AGAIN

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 01 June 2006 - 06:29 AM

Hello madmidgy,

From your results, your system appears to be clean. Here are some recommendations to help keep you from becoming infected.

STEP 1.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls

  • Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  • Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • More info on how to prevent malware you can also find here (By Tony Klein)
    and here: <a href="http://wiki.castleco...t_Re-infection" target="_blank">http://wiki.castleco...e-infection</a>
Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan

Edited by Susan528, 01 June 2006 - 06:29 AM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#11 madmidgy

madmidgy

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 01 June 2006 - 06:48 AM

no problem susan i will i already have spybot etc on the pc in question, so thanks again for your help and advice cheers

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 05 June 2006 - 07:50 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users