Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91736 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Screen Turn Blue With "Warning Spyware Detected On


  • This topic is locked This topic is locked
12 replies to this topic

#1 BlueRuby

BlueRuby

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 05 June 2008 - 09:55 AM

Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\BrowserObjects (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Packages (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\AXPDefender\AXPDefender.exe (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\blphc32hj0e15a.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\AXPDefender.exe.local (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\AXPDefenderSkin.dll (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\database.dat (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\license.txt (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\MFC71.dll (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\MFC71ENU.DLL (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\msvcp71.dll (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\msvcr71.dll (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Program Files\AXPDefender\Uninstall.exe (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Advanced XP Defender.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\How to register.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\License Agreement.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Register.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Uninstall.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\AXPDefender.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\sysrest32.exe (Rootkit.Agent) -> Delete on reboot. C:\Documents and Settings\HingWah\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPDefender.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.

    Advertisements

Register to Remove


#2 BlueRuby

BlueRuby

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 05 June 2008 - 12:01 PM

Please Help!!!! Cockroach starts to appear on the screen.......... Thanks in Advance!!!!!

#3 BlueRuby

BlueRuby

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 06 June 2008 - 08:07 AM

No one wants to help me?? Am I doing something wrong??? Please advise.....

#4 BlueRuby

BlueRuby

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 09 June 2008 - 08:17 AM

I have Dell Window XP and realized there are others on this forum that has the same problem. Can someone please help?

#5 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 12 June 2008 - 05:43 AM

Hi, and Welcome to WhatTheTech :)

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.


Sorry about the delay in responding :(

If you still need help, scan again with HijackThis, and "copy/paste" a new log file into this thread.

Then I will analyze your log and sort out a fix for you :)

Also please describe how your computer behaves at the moment.

I need to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
jpshortstuff

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#6 BlueRuby

BlueRuby

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 12 June 2008 - 10:03 AM

Thank You for the reply!!!!! Update for Windows XP (KB931836) Update for Windows XP (KB932823-v3) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) URGE Verizon Online DSL Viewpoint Manager (Remove Only) VobSub v2.23 (Remove Only) Windows Defender Signatures Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Live Outlook Toolbar (Windows Live Toolbar) Windows Live Sign-in Assistant Windows Live Toolbar Windows Live Toolbar Windows Live Toolbar Extension (Windows Live Toolbar) Windows Live Toolbar Feed Detector (Windows Live Toolbar) Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WinRAR archiver WordPerfect Office 11 x264 Revision 333 x264.nl (remove only) XviD Video Codec 24.2.2003-11:00 (uManiac's build)

#7 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 12 June 2008 - 10:14 AM

Hi, you seem to be missing most of your uninstall list there, please could you try and post it again? Also, I need to see the main log from HijackThis - please click "Do A System Scan And Save a Logfile" and post the resulting log. Thanks.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#8 BlueRuby

BlueRuby

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 12 June 2008 - 10:22 PM

Malwarebytes' Anti-Malware 1.14
Database version: 824

12:45:44 2008-06-04
mbam-log-6-4-2008 (12-45-44).txt

Scan type: Quick Scan
Objects scanned: 36812
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 14
Files Infected: 22

Memory Processes Infected:
C:\Program Files\AXPDefender\AXPDefender.exe (Rogue.AdvancedXPDefender) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\AXPDefender\AXPDefenderSkin.dll (Rogue.AdvancedXPDefender) -> Unloaded module successfully.
C:\Program Files\AXPDefender\MFC71.dll (Rogue.AdvancedXPDefender) -> Unloaded module successfully.
C:\Program Files\AXPDefender\MFC71ENU.DLL (Rogue.AdvancedXPDefender) -> Unloaded module successfully.
C:\Program Files\AXPDefender\msvcp71.dll (Rogue.AdvancedXPDefender) -> Unloaded module successfully.
C:\Program Files\AXPDefender\msvcr71.dll (Rogue.AdvancedXPDefender) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AXPDefender (Rogue.AdvancedXPDefender) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\BrowserObjects (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Packages (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\HingWah\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AXPDefender\AXPDefender.exe (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphc32hj0e15a.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\AXPDefender.exe.local (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\AXPDefenderSkin.dll (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\database.dat (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\license.txt (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\MFC71.dll (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\MFC71ENU.DLL (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\msvcp71.dll (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\msvcr71.dll (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Program Files\AXPDefender\Uninstall.exe (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Advanced XP Defender.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\How to register.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\License Agreement.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Register.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Uninstall.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\AXPDefender.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest32.exe (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\HingWah\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPDefender.lnk (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:25, on 2008-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lphc32hj0e15a.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "https://webbroker10..../logonForm.asp"); (C:\Documents and Settings\HINGWAH\Application Data\Mozilla\Profiles\default\6sj4dmyl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\HINGWAH\Application Data\Mozilla\Profiles\default\6sj4dmyl.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphc32hj0e15a] C:\WINDOWS\system32\lphc32hj0e15a.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7136 bytes


I did both all over again. Thank you and keep me advise please!!

#9 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 14 June 2008 - 10:19 AM

Hi

Identity Theft

It looks like you have been infected by a few Backdoor Trojans.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we cannot guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found here.

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities. I must remind you that i cannot guarantee that your computer will be completely clean afterwards since we have no way of knowing what has been done to it.

To help you make your decision, here are a few related articles that i suggest you read:


Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Thanks.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#10 BlueRuby

BlueRuby

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 14 June 2008 - 11:46 AM

???? How do I get something like that????? I dont run a company or anthing like that..... I havent log on to any credit cards sites or anything like that since it has been infected , you think Im still in danger of idenity theft? Thanks

#11 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 14 June 2008 - 01:10 PM

If you don't use this computer for online banking (or similar) at all, then you may be safe from identity theft. If you wish to attempt to clean this computer, then we can do so, but we cannot guarantee that your computer will be fully clean as anything could be done to it while it is compromised.

You mention that you haven't used any banking related sites since you found out you were infected, but have you used any before you knew you were infected? The infection could have already been present and lurking, without giving you the full symptoms.

I would still recommend that you change you passwords for things like email, paypal and anything else that you consider a slight risk if it was compromised (do this from a different computer).

Let me know what you want to do.

Thanks.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#12 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 17 June 2008 - 03:48 PM

Hi, have you come to a decision on this one?

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#13 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 20 June 2008 - 09:58 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users