Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Privacy_danger Trouble


  • Please log in to reply
3 replies to this topic

#1 The Devil

The Devil

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lafayette, IN
  • Local time:11:36 AM

Posted 30 October 2007 - 10:06 AM

I found the topic on HijackThis about Privacy_danger...I was infected and followed the instructions for removal. It said to post the results here, so I am doing so. Any further help will be greatly appreciated. Does anyone know where this comes from so I won't make the mistake again. Thanks!

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\Program Files\VideoAccessCodec\install.ico - Deleted
C:\WINDOWS\bxsbang.dll - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\kthemup.exe - Deleted
C:\WINDOWS\msmhost.dll - Deleted
C:\WINDOWS\nssfrch.dll - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\MOVCTR~1.DLL - Deleted


Folder C:\Program Files\VideoAccessCodec - Removed
Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Avant Browser\\avant.exe"="C:\\Program Files\\Avant Browser\\avant.exe:*:Enabled:Avant Browser"
"C:\\WINDOWS\\system32\\lxddcoms.exe"="C:\\WINDOWS\\system32\\lxddcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"="C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"="C:\\Program Files\\Lexmark 2500 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lexmark 2500 Series\\app4r.exe"="C:\\Program Files\\Lexmark 2500 Series\\app4r.exe:*:Enabled:BorgListener"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 1 Oct 2007 35,328 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL2576.tmp"
Mon 1 Oct 2007 35,840 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL3506.tmp"
Fri 27 Feb 2004 233,472 A..H. --- "C:\Program Files\Image-Line\FL Studio 7\REX Shared Library.dll"
Fri 29 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 30 Oct 2007 388,090 A..H. --- "C:\Documents and Settings\Michael\Local Settings\Temp\BITB8D.tmp"
Fri 5 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BIT2.tmp"
Mon 1 Oct 2007 49,664 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2961.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Michael\Application Data\U3\temp\Launchpad Removal.exe"

Finished!
MY GOD, IT'S FULL OF STARS
http://www.myspace.com/getsyphilis

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:36 AM

Posted 30 October 2007 - 10:39 AM

I found the topic on HijackThis about Privacy_danger...I was infected and followed the instructions for removal.

What instructions did you follow?

I see that you used SDFix which detected/removed several related bad files from this infection. I would have asked you to follow BC's self-help tutorial: How to remove Privacy Protector or PrivacyProtector. However, some of these tools will overlap in their detection and removal of malware.

Are you having any further problems?

Smitfraud is a generic description for a family of rogue applications/trojans (i.e. Win32.Zlob) that uses misleading advertising, downloads rogue security products, changes (hijacks) the Windows Desktop and infects system files. The Trojan uses bogus security warnings and fake alerts to indicate that your computer is infected with spyware or has critical errors. It is responsible for downloading and installing programs that purport to scan for spyware and then uses false scan reports as a scare tactic to goad you into purchasing one of several rogue programs to fix it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 The Devil

The Devil
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lafayette, IN
  • Local time:11:36 AM

Posted 30 October 2007 - 05:27 PM

Thanks...that's exactly what I had. AVG found the Zlob virus and put it in the virus vault, but after working fine for a few hours, the hijack returned.

Hence a google search for Privacy_danger and my discovery of this forum.

I also ran the ComboFix program and it came up clean...so I'm happy for the moment.
MY GOD, IT'S FULL OF STARS
http://www.myspace.com/getsyphilis

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:36 AM

Posted 30 October 2007 - 07:03 PM

You really should not be using Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again.

If your not having any more malware problems, then you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users