• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
x-ray cat

My pc has been taken over!!!

4 posts in this topic

G'day guys, my names brad and I have just recently in the last week or so been getting a lot of strange emails everyday about, me requesting virus information and other garbage, but whenever i recieve these emails that are actually not even addressing me but calling me another name..

 

Also files have come up in my kazaa shared folder and downloaded file and god knows where else, that aren't mine I didn't download them and when i try to delete them its a lost cause coz they are just there again on start up. A lot of it is porn, and the rest appears to be software files, there's ones that mention crack files (such as microsoft office crack best, microsoft winxp crack full, crack & warez archive etc). Finally mt pc also keeps giving me a warning time till it shuts down, then when the time runs out it does exactly that. Its screwed.

 

I've done enough computer stuff at school to know that having a cracker inside my pc isn't a good thing. So if there is one any help you can give me will be much appreciated.

 

I have enclosed a log if that helps too!!

ta brad

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 2:15:53 PM, on 6/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\svohost.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\CMEII\CMESys.exe

C:\WINDOWS\FVProtect.exe

C:\WINDOWS\svchost.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\GMT\GMT.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\supu.exe

C:\Program Files\Windows Media Player\setup_wm.exe

C:\WINDOWS\System32\scrgrd.exe

C:\Documents and Settings\Brad\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

 

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe

O4 - HKLM\..\Run: [NvClipRsv] C:\WINDOWS\svchost.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O4 - Startup: svchost.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{AA7334CF-01ED-48B3-AA92-C442F5ED6B0B}: NameServer = 203.18.19.99 203.18.19.98

Share this post


Link to post
Share on other sites

In spite of the entry in your log O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe, there is no antivirus program on your computer, and traces of at least two virus processes.

First, get an on line scan at either Housecall or Panda A/V, and let it fix everything it finds.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe

 

 

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

 

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe

O4 - HKLM\..\Run: [NvClipRsv] C:\WINDOWS\svchost.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O4 - Startup: svchost.exe

 

Reboot, and delete

 

file

C:\WINDOWS\System32\swchost.exe

C:\WINDOWS\System32\svohost.exe

C:\WINDOWS\svchost.exe

scrgrd.exe

 

folder

C:\Program Files\Common Files\CMEII

 

These may be hidden files. See HERE for how to show hidden files.

 

Then install a resident antivirus program. AVG free edition from Grisoft is well thought of by many of the regulars here.

 

If you have removed Kazaa, uninstall P2P networking from Add/Remove Programs. If not, then you are at great risk of reinfestation. I would suggest that you use a spyware free alternative, such as WinMX.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Hey x-ray cat. From your post it appears you may have a variant of the Nibu trojan or Plexus worm. Had to investigate a computer that had gotten infected with a variant of one/both of these. You may want to check for the following files, and delete them.

 

C:\WINDOWS\prntsvr.dll

C:\WINDOWS\prntc.log

C:\WINDOWS\prntk.log

 

If you find those files, check in your Temp directory for

 

fa4537ef.tmp

fe43e701.htm

feff35a0.htm

 

If you found the above, then chances are good you had one of the Malware programs I mentioned above. The above files are part of a keylogger and Clipboard logger that were installed upon infection. You can look at the contents of everything but the prntsvr.dll file using notepad, as they are just text. They will have some of the information that was logged while you were using your infected PC. Periodically the virus/trojan/whatever will send the contents of these files out to someone via email or Web. The data sent could have had your usernames, passwords, personal or financial information, emails you wrote, anything!

 

Change your passwords now! Think about what you had done on your PC recently, and what information you may have entered while the PC was infected, and respond accordingly to protect yourself.

 

Also, you should check the "hosts" file in "C:\WINDOWS\System32\Drivers\etc\". Part of the infection for both of the Malware programs is to modify that file, so that most of the URL's for the major Anti-Virus programs resolve to your PC (127.0.0.1), thus effectively preventing you from getting updates...Once you install one anyway!

 

Hope this helps,

Guardian

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0