Computer Hope
Software => Computer viruses and spyware => Topic started by: jade14 on November 08, 2007, 02:12:10 PM
-
A message that says "Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now..... etc etc.." pops up about every 5 minutes. I've done a few virus scans and whatnot but it's still not gone. :(
-
Install HijackThis: http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html
and post its log here.
-
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:26:34 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\proper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Computer\My Documents\HiJackThis_v2.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - S-1-5-18 Startup: infos.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: infos.exe (User 'Default user')
O4 - Startup: infos.exe
O4 - Global Startup: autos.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O15 - Trusted Zone: www.youtube.com
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
--
End of file - 3078 bytes
-
I'll take a look...
-
First of all, I don't see any firewall, nor antivirus listed on your system. This is inexcusable!
If you're running Windows firewall, let me know.
If not...
Please, download, and install immediately, two following items:
- Comodo free firewall: http://www.personalfirewall.comodo.com/
- Avg free antivirus: http://free.grisoft.com/doc/2/
Run full AVG scan, and post new HJT log.
-
I have Avast Antivirus ?
I downloaded those programs though.
-
Wait, do nothing!!!
-
Two important questions, you have to answer BEFORE you do anything.
1. Do you have Windows firewall turned on?
2. Even, if you have Avast!, HJT shows, that it's not turned on.
Please, explain, and do nothing more.
-
How do I know if it's turned on? I didn't even know I had Windows Firewall.
-
To turn your Windows firewall on:
# Click on the Start Menu
# Click on Control Panel
# Click on Security Center
# Click on Windows Firewall toward the bottom the Security Center Window.
# Choosing between the “On” or “Off” will turn enable or disable Windows Firewall.
As for Avast!, you should have it listed under Start>Program Files.
Open Avast!, and see, if it's set to start when Windows start.
-
Firewall is now on. For avast it was checked beside "Test memory during application start up". If that's what you meant? It's the only thing I could find that had anything to do with it being on when windows start.
-
Firewall is now on.
Cool, for now...
For avast it was checked beside "Test memory during application start up". If that's what you meant?
No, that's not enough.
I'm not that familiar with Avast! program, so let's do this.
Hover your mouse over every icon in notification area of your taskbar (next to clock).
If Avast! is not listed there, go Start>Control Panel>Add\Remove. If Avast! is listed there, uninstall it. If not listed, do nothing.
After that, go ahead, and install AVG.
After installing AVG (it may ask you to restart your computer), right click on its icon (4-color square) in your taskbar, click on Check for updates (if it didn't ask you before). Install updates.
Right click on AVG icon, click on Launch AVG Test Center, click on Scan Computer.
Grab a coffee, or watch some TV. It'll take a while.
Report back, when you're done.
-
K I'm done, and it found a bunch of 'threats'. I haven't done anything with them yet. What should I do? Move to vault? Heal?
-
Very good!!!
Try "heal", first. Whatever can't be healed, move to vault.
Meanwhile, I'll be preparing next step for you.
Let me know, when you're done.
-
All done!
Most of them couldn't be healed so I just moved them to the vault.
-
Bravo!
Next step.
1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Download SmitfraudFix.exe from here and save it to your desktop:
http://www.bleepingcomputer.com/files/smitfraudfix.php
3. Next, please reboot your computer into Safe Mode by doing the following:
a. Restart your computer
b. Start tapping F8 key
c. A menu will appear
d. Select the first option, to run Windows in Safe Mode.
4. Close all open Windows.
5. Now, double-click on the SmitFraudfix icon.
6. When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.
7. You will now see a menu. Press the number 2 on your keyboard and the press the Enter key to choose the option Clean.
8. The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program.
This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up a long time depending on your computer, so please be patient. When it is complete, it will close automatically and you should continue with next step.
9. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the Enter key.
10. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
11. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer.
Save that log to your desktop, and attach it to your next reply.
-
SmitFraudFix v2.250
Scan done at 23:05:27.43, Thu 11/08/2007
Run from C:\Documents and Settings\Computer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 *Blocked Russian URL*
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.downloads1.kaspersky-labs.com
192.168.200.3 ftp.downloads2.kaspersky-labs.com
192.168.200.3 ftp.downloads3.kaspersky-labs.com
192.168.200.3 ftp.f-secure.com
192.168.200.3 *Blocked Russian URL*
192.168.200.3 ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 *Blocked Russian URL*
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 www.avp.ch
192.168.200.3 www.avp.com
192.168.200.3 *Blocked Russian URL*
192.168.200.3 www.awaps.net
192.168.200.3 www.ca.com
192.168.200.3 www.f-secure.com
192.168.200.3 www.fastclick.net
192.168.200.3 www.grisoft.com
192.168.200.3 www.kaspersky-labs.com
192.168.200.3 www.kaspersky.com
192.168.200.3 *Blocked Russian URL*
192.168.200.3 www.mcafee.com
192.168.200.3 www.my-etrust.com
192.168.200.3 www.nai.com
192.168.200.3 www.networkassociates.com
192.168.200.3 www.sophos.com
192.168.200.3 www.symantec.com
192.168.200.3 www.symantec.com
192.168.200.3 www.trendmicro.com
192.168.200.3 www.viruslist.com
192.168.200.3 *Blocked Russian URL*
192.168.200.3 www.virustotal.com
192.168.200.3 www3.ca.com
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\bronto.dll Deleted
C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\WinAvXX.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{96C10D87-0213-462A-B4EE-2DE10818F12C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{96C10D87-0213-462A-B4EE-2DE10818F12C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{96C10D87-0213-462A-B4EE-2DE10818F12C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Reboot
»»»»»»»»»»»»»»»»»»»»»»»» End
-
Very nice!
Now, post your fresh HJT log.
-
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:23:52 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Computer\My Documents\HiJackThis_v2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: www.youtube.com
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
--
End of file - 3285 bytes
-
Let me see what crap you have left there....
-
Beautiful!!! Your computer is totally clean.
One more thing, though. I can see, you're running Comodo firewall already (I didn't ask you to install it, yet), and your Windows firewall is on, as well.
You can't run two firewalls at the same time.
Turn your Windows firewall off (it's next to worthless, anyway), by following:
# Click on the Start Menu
# Click on Control Panel
# Click on Security Center
# Click on Windows Firewall toward the bottom the Security Center Window.
# Choosing between the “On” or “Off” will turn enable or disable Windows Firewall.
Post back.
-
yayy. windows firewall is off now. does that mean i'm all done? :D
-
It looks like...Just let me know, how your computer is doing...
-
hurrah, i will. thankyou soo much! it seems to be great so far. :)
-
Just don't screw it again.....LOL