Jump to content


Photo

Stubborn Spyware Slowing My System!


  • This topic is locked This topic is locked
15 replies to this topic

#1 russkahn

russkahn

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2007 - 12:54 PM

Hi helpful folks,

I nabbed some malicious spyware/virus junk on my in-laws' laptop (ouch, right?) when I went online unaware that they had no firewall or virus protection. Since then, I've run every test and tried to undo all the damage. I still get occasional pop-ups and--worse yet--the computer is painfully, painfully slow.

At first I ended up with a red background and constant reminders to go to antispysolutions. Now those are gone, but I get occasional pop-ups--to BOLT, eBay--on IE, even though I'm using Firefox.

Anyway, I followed all of the steps listed here: http://au.answers.ya...04190852AAxQmpM

The programs found a bunch of things, and it quarantined or deleted everything it found. And yet it takes 10 minutes to boot up--and I usually get a message that says my virtual memory is low after running the machine for a while. The computer is borderline useless, given the speed it's operating at.

I don't see anything in particular eating up the CPU usage, though it does spike to over 50%. The PF Usage is very high--the yellow line runs across near the top of the graph. Don't know if that indicates anything. How can I tell?

Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:44:09 PM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\csrss.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bob Sieminski\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [hwfutczk.exe] C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135709867250
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--

Any help is monumentally appreciated. I suppose I should just try to reinstall Windows and try to start from scratch. But maybe you guys can offer some advice.

Many thanks!

RK

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 19 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 24 June 2007 - 09:30 AM

Hi,

Sorry you’ve had to wait for a few days but all of the helpers here are volunteers and we’ve been really busy recently.

First, please download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Once you have run ComboFix and before posting your log from that scan, please download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
I’ll look out for your reply :)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#4 russkahn

russkahn

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 June 2007 - 04:09 PM

Thank you so, so, so much. I really appreciate that you guys are volunteering to help others like this. Makes me have a little more faith in the world...

Anyway, I followed all of the steps shown above. So far the computer seems to be running faster, though perhaps it's just my imagination. In any event, here are the results of my DrWeb log:

hwfutczk.exe;c:\documents and settings\all users\application data;Trojan.Swizzor;Will be cured after reboot.;
hwfutczk.exe;C:\Documents and Settings\All Users\Application Data;Trojan.Swizzor;Deleted.;
csrss.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.LowZones.234;Deleted.;
os1zn2mO7Z.exe;C:\WINDOWS;Trojan.Swizzor;Deleted.;

I will post again once I can tell for sure if the computer has been healed. But I definitely had/have some nasty stuff on my machine!

THANKS!

- RK

#5 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 26 June 2007 - 04:08 PM

Hello again,

Thanks for running those scans.

Please could you let me see the log from the ComboFix scan too?

Thanks :D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#6 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 03 July 2007 - 03:02 PM

Hello,

I just thought I would see how you were getting on with your computer . . . Do you still need help or shall we close this thread?

:)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#7 russkahn

russkahn

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2007 - 05:00 PM

Hi there--

Thanks so much for checking in again. I had a family crisis and had to leave town for a little bit. Unfortunately, the computer is still bogged down by whatever remnants of spyware there are. AVG keeps finding threats and deleting or quarantining them, but that's not doing anything. I'm really having trouble with this machine, and (once again) I really appreciate the help.

Anyway, here is the Combo log:

ComboFix 07-06-18.2 - C:\Documents and Settings\Bob Sieminski\Desktop\ComboFix.exe
"Bob Sieminski" - 2007-07-06 16:44:00 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-06-25 15:31 <DIR> d-------- C:\DOCUME~1\BOBSIE~1\DoctorWeb
2007-06-25 13:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-23 18:14 <DIR> d-------- C:\WINDOWS\system32\qchrqilr
2007-06-23 18:00 99,072 --a------ C:\qchrqilr1.exe
2007-06-23 18:00 94,464 --a------ C:\qchrqilr3.exe
2007-06-23 18:00 100,096 --a------ C:\qchrqilr2.exe
2007-06-23 17:57 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
2007-06-11 19:14 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-11 04:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-11 04:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-11 04:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-11 04:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-11 03:52 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-06-11 03:12 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-11 01:57 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2007-06-11 01:57 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-06-11 01:10 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-06-11 01:10 12 --a------ C:\WINDOWS\system32\sl.bin
2007-06-11 01:09 9,984 --a------ C:\WINDOWS\mspphe.dll
2007-06-11 01:09 9,216 --a------ C:\WINDOWS\bjam.dll
2007-06-11 01:09 32,512 --a------ C:\WINDOWS\mssvr.exe
2007-06-11 01:09 31,744 --a------ C:\WINDOWS\SUSP.exe
2007-06-11 01:09 31,232 --a------ C:\WINDOWS\180ax.exe
2007-06-11 01:09 30,208 --a------ C:\WINDOWS\system32\wml.exe
2007-06-11 01:09 29,952 --a------ C:\WINDOWS\7search.dll
2007-06-11 01:09 29,184 --a------ C:\WINDOWS\voiceip.dll
2007-06-11 01:09 28,928 --a------ C:\WINDOWS\cdsm32.dll
2007-06-11 01:09 27,904 --a------ C:\WINDOWS\bokja.exe
2007-06-11 01:09 26,880 --a------ C:\WINDOWS\stcloader.exe
2007-06-11 01:09 26,112 --a------ C:\WINDOWS\satmat.exe
2007-06-11 01:09 24,064 --a------ C:\WINDOWS\flt.dll
2007-06-11 01:09 23,296 --a------ C:\WINDOWS\pbar.dll
2007-06-11 01:09 21,760 --a------ C:\WINDOWS\updatetc.exe
2007-06-11 01:09 20,480 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-06-11 01:09 20,480 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-06-11 01:09 20,224 --a------ C:\WINDOWS\swin32.dll
2007-06-11 01:09 19,456 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-06-11 01:09 19,200 --a------ C:\WINDOWS\salm.exe
2007-06-11 01:09 15,360 --a------ C:\WINDOWS\vxddsk.exe
2007-06-11 01:09 15,104 --a------ C:\WINDOWS\wml.exe
2007-06-11 01:09 12,800 --a------ C:\WINDOWS\saiemod.dll
2007-06-11 01:09 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-06-11 01:09 11,830 --a------ C:\syslyzq.exe
2007-06-10 17:24 1,156 --a------ C:\WINDOWS\mozver.dat
2007-06-07 11:21 <DIR> d-------- C:\DOCUME~1\BOBSIE~1\APPLIC~1\Smith Micro
2007-06-07 11:19 <DIR> d-------- C:\Program Files\Verizon Wireless
2007-06-07 11:19 <DIR> d-------- C:\Program Files\Novatel Wireless
2007-06-07 11:13 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 22:25:14 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-19 01:04:25 -------- d-----w C:\DOCUME~1\BOBSIE~1\APPLIC~1\Viewpoint
2007-05-18 23:06:21 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-18 23:06:20 56 --sh--r C:\WINDOWS\system32\12FEC6E747.sys
2007-05-17 01:35:15 67,856 ----a-w C:\DOCUME~1\BOBSIE~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 16:09:07 -------- d--h--w C:\DOCUME~1\BOBSIE~1\APPLIC~1\Gtek
2007-05-14 16:00:38 -------- d-----w C:\Program Files\DellSupport
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{38847C4B-1AB1-4A47-9026-9A6CF7B43D31}=C:\WINDOWS\system32\msdn_lib.dll []
{4D25F921-B9FE-4682-BF72-8AB8210D6D75}=C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06 02:05]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 07:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 00:42 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-08-01 17:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-11 01:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-11 01:03]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 13:12]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05]
"bacstray"="C:\Program Files\Broadcom\BACS\BacsTray.exe" [2005-07-13 17:54]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 12:06]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-11 01:57]
"hwfutczk.exe"="C:\Documents and Settings\All Users\Application Data\hwfutczk.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-16 17:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"csrss"="C:\WINDOWS\csrss.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


Contents of the 'Scheduled Tasks' folder
2007-06-25 05:00:00 C:\WINDOWS\tasks\At1.job
2007-06-11 06:09:26 C:\WINDOWS\tasks\At10.job
2007-06-11 15:00:35 C:\WINDOWS\tasks\At11.job
2007-06-12 16:03:47 C:\WINDOWS\tasks\At12.job
2007-06-25 17:00:00 C:\WINDOWS\tasks\At13.job
2007-06-25 18:00:00 C:\WINDOWS\tasks\At14.job
2007-06-25 19:00:00 C:\WINDOWS\tasks\At15.job
2007-06-25 20:00:00 C:\WINDOWS\tasks\At16.job
2007-06-29 21:00:01 C:\WINDOWS\tasks\At17.job
2007-06-29 22:00:20 C:\WINDOWS\tasks\At18.job
2007-06-29 23:00:00 C:\WINDOWS\tasks\At19.job
2007-06-24 06:00:00 C:\WINDOWS\tasks\At2.job
2007-06-30 00:00:00 C:\WINDOWS\tasks\At20.job
2007-06-24 01:00:00 C:\WINDOWS\tasks\At21.job
2007-06-25 02:00:00 C:\WINDOWS\tasks\At22.job
2007-06-25 03:00:00 C:\WINDOWS\tasks\At23.job
2007-06-25 04:00:00 C:\WINDOWS\tasks\At24.job
2007-06-24 07:00:01 C:\WINDOWS\tasks\At3.job
2007-06-13 08:00:43 C:\WINDOWS\tasks\At4.job
2007-06-13 09:00:03 C:\WINDOWS\tasks\At5.job
2007-06-11 10:00:38 C:\WINDOWS\tasks\At6.job
2007-06-11 11:00:51 C:\WINDOWS\tasks\At7.job
2007-06-11 06:09:26 C:\WINDOWS\tasks\At8.job
2007-06-11 06:09:26 C:\WINDOWS\tasks\At9.job
2005-12-23 18:30:00 C:\WINDOWS\tasks\ISP signup reminder 1.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 16:52:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 16:55:29
C:\ComboFix-quarantined-files.txt ... 2007-07-06 16:55
C:\ComboFix2.txt ... 2007-06-25 14:30

--- E O F ---

#8 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 07 July 2007 - 08:23 AM

Hello again,

Thanks for replying!

As you have mentioned that your AVG is detecting problems, could you let me see a log from your AVG scanner and a fresh HijackThis log and we'll see where we need to go from there.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#9 russkahn

russkahn

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 07 July 2007 - 12:27 PM

Thanks, Chancellor!

Like I said, I'm still fairly infected. The logs will probably show that... Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:22:37 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Bob Sieminski\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [hwfutczk.exe] C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135709867250
O17 - HKLM\System\CCS\Services\Tcpip\..\{C477D93E-04A7-4327-A313-504C3524547A}: NameServer = 66.174.95.44 66.174.92.14
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 8556 bytes


And, for your enjoyment, here is the AVG log:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:16:38 PM 7/7/2007

+ Scan result:



:mozilla.166:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
:mozilla.167:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.28:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.29:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.30:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.31:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Bob Sieminski\Cookies\bob sieminski@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.154:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.155:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.157:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.158:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.67:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.68:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.69:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.70:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.71:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.43:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Bob Sieminski\Cookies\bob sieminski@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.100:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.87:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Cnn : No action taken.
:mozilla.200:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.33:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.38:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.39:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.40:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.257:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.179:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.181:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.201:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.202:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.195:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Netflame : No action taken.
:mozilla.196:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Netflame : No action taken.
:mozilla.97:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.103:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.104:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.105:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.106:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.107:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.108:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.109:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.110:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.111:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.112:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.60:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.61:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Bob Sieminski\Cookies\bob sieminski@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.32:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.35:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.36:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.37:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.182:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.183:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.184:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.185:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.186:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.187:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.114:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.115:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.116:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.117:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.118:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.119:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.120:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.62:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.146:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.147:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.149:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.168:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.172:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.173:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.174:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.175:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.176:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.177:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.178:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.93:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.268:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.44:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.45:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.46:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.47:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.48:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.90:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.91:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.92:C:\Documents and Settings\Bob Sieminski\Application Data\Mozilla\Firefox\Profiles\4vitgavy.default\cookies.txt -> TrackingCookie.Zedo : No action taken.


::Report end

Once again, thanks for any help you can offer...

#10 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 08 July 2007 - 06:06 PM

Hello again,

Thanks for posting your updated logs :)

There is one especially serious entry which we need to address:

The entry O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe relates to a keylogging Trojan, you can read more about it here:

http://www.sophos.co...ojkeylogaq.html

This file can allow an attacker to gain control of your system, log your keystrokes, steal your passwords and access your personal data.

So please run HijackThis again and place a check next to the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O4 - HKLM\..\Run: [hwfutczk.exe] C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe


Now, having checked those entries, close all other open windows and browsers EXCEPT HijackThis and click on the Fix checked button.

Then, using Windows Explorer, please locate and delete the following files:

C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
C:\WINDOWS\csrss.exe

========================================================

Having done this, I would strongly advise you to change any passwords or security information which may be held on your computer immediately - especially those which relate to online banking, shopping, your credit cards or to any other sensitive personal information!

Although I must caution you that even taking all of these steps will not guarantee that your system is completely safe. After an infection such as this, many security experts consider that the only way to be absolutely sure you are safe is to completely reformat your hard drive and re-install Windows!


========================================================

Of course, this remains a decision for you. If you have backups of all your important files, documents and pictures it might not be so daunting. Although, if you have any questions about this process, don't hesitate to post them here and I will endeavour to assist you.

Please let me know what you have decided to do.

I’ll look out for your reply.

:)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#11 russkahn

russkahn

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 08 July 2007 - 08:24 PM

Wow, that is terrifying about a keylogging trojan! Fortunately, this laptop is not my primary computer--and I felt unsure enough with this computer to avoid entering any passwords or private information. That said, I should probably wipe it clean so I can sleep better at night. Formatting the machine will reset the settings completely, yes?

I followed the steps above, though I could not find the two malicious files in the places you said. Perhaps HijackThis deleted them? The computer still booted up fairly slowly, though I haven't seen any AVG warnings yet.

There have been requests to access the internet from my computer--alerted to me through the firewall--though most seem to be harmless. Not sure what the first one is, though: SNMP Service, mim, AVG, and Musicmatch.

Cannot thank you enough for working with me on this problem. That you offer your services like this without pay or favor is incredible.

#12 russkahn

russkahn

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 08 July 2007 - 09:59 PM

Hi again,

I found csrss.exe files in the C:\i386 and C:\Windows\System32 folders, but both were modified years ago. Should I worry about those? No record of the hwfutczk fike in my system...

Yeesh, what a mess...

#13 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 09 July 2007 - 02:49 AM

Hi again,

I found csrss.exe files in the C:\i386 and C:\Windows\System32 folders, but both were modified years ago. Should I worry about those? No record of the hwfutczk fike in my system...

Yeesh, what a mess...

Hello again,

The other two csrss.exe files are legitimate and vital for Windows to run correctly!

One of the tricks of malware writers is to name their files the same as essential Windows components to make them appear legitimate.

To answer your previous question though - formatting will reset all of your computer's settings.

If you have decided to reformat and re-install, these instructions may be useful:

If you have a backup program, you should use this to backup your data before starting the new Windows installation. You don't need to backup actual program files, just backup your data files as your programs can be reinstalled later. I would recommend you save your data to CD/DVD or to an external device such as a USB or Zip drive.

It is important to remember that when you re-install Windows, since you want to be installing from scratch, you need to ensure that you delete your previous installation rather than simply doing a repair of it.

There are an excellent series of instructions HERE complete with screenshots of what to expect at each step. I would recommend that you print out those instructions before proceeding any further.

Now, disconnect from the Internet before proceeding with the installation (actually pull your connection cable out!)

When you get to step 10b, choose to delete the partition by pressing "D". You will then be prompted to create a new partition in the empty space. This will remove all data from the deleted space.

Once you have reinstalled Windows you should:
  • Install your Antivirus
  • Install your Firewall
  • Reconnect to the Internet
  • Update your AntiVirus
  • Go to Windows Update and install SP2 together with ALL critical updates
If you are going to continue using your laptop as is - could you let me know and we will go through some security enhancements.

:D
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#14 russkahn

russkahn

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 July 2007 - 10:43 AM

Yeah, I figured that those were legitimate files given that they were dated from the computer's origin. That said, I couldn't find the evil version of csrss.exe. AVG shows that I'm still badly infected, finding over 100 tracking cookie threats.

Anyway, it looks like I'm going to have to wipe the machine. It's okay because there isn't a tremendous amount of material on it that I'd need; like I said, this is not my main computer--so there's nothing I would really even need to backup that I couldn't do by saving a few recent files. Unfortunately, I'm away from my Windows and other startup discs, so it will have to wait a day or two.

If there is something I can do in the meantime to upgrade my security, let me know. Otherwise, I will simply avoid entering any private information on it and format the computer when I can.

So there are some bad guys out there monitoring my keystrokes, huh? :rant:

#15 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 11 July 2007 - 02:38 AM

Anyway, it looks like I'm going to have to wipe the machine. It's okay because there isn't a tremendous amount of material on it that I'd need; like I said, this is not my main computer--so there's nothing I would really even need to backup that I couldn't do by saving a few recent files. Unfortunately, I'm away from my Windows and other startup discs, so it will have to wait a day or two.

Hello again,

It is always a shame when someone ends up having to wipe their hard drive because of malware. But unfortunately, it is sometimes the only way to finally get rid of some of the worst infections.

So there are some bad guys out there monitoring my keystrokes, huh?

These days, information is definitely power and there are so many people willing to buy and sell information (even things which to you or me might seem valueless will have a vlaue to someone), so again, unformtunately, until the governments take a strong stance against this type of crime, it will probably get worse and we will see more and more keyloggers out there!

As for protection, in the short term, I would recommend that you install a Firewall. This should always be your first line of defence against attacks. There are several available online which you can download for free, for example:

Outpost
Zone Alarm
Keiro Personal Firewall

Also, if you are not using an Anti-Virus program, you should install one of these free programs immediately keep their definitions up to date and scan your system regularly.

AntiVir
AVG AntiVirus
Avast Anti-Virus

Once you have reformatted, if you want to let me know, I will go through some other security tips and advice with you.

With best wishes for the future,

:D

Edited by Chancellor, 11 July 2007 - 02:43 AM.

Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#16 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 17 July 2007 - 01:54 PM

Sorry we couldn’t help you on this occasion :(

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button