Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Background Says Warning! Spyware Detected On Your Computer!


  • This topic is locked This topic is locked
2 replies to this topic

#1 pyxlb0mb

pyxlb0mb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 17 June 2008 - 10:35 AM

I believe it's the Mario Virus on this computer ... if that helps ... it was printing like crazy right before this background went up!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:03 AM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1126897056\ee\aolsoftware.exe
c:\program files\common files\aol\1126897056\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1126897056\ee\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Vincent Soriero\Application Data\U3\000016178174DCD7\LaunchPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = yaho
F2 - REG:system.ini: Shell=C:\WINDOWS\system32\drivers\services.exe Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [SpybotDeletingA4655] command /c del "C:\WINDOWS\SYSTEM32\vedxga1me4t1.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2096] cmd /c del "C:\WINDOWS\SYSTEM32\vedxga1me4t1.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7147] command /c del "C:\WINDOWS\SYSTEM32\vedxg4am1et2.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3363] cmd /c del "C:\WINDOWS\SYSTEM32\vedxg4am1et2.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6884] command /c del "C:\WINDOWS\SYSTEM32\vedxga4m1et4.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4992] cmd /c del "C:\WINDOWS\SYSTEM32\vedxga4m1et4.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9343] command /c del "C:\WINDOWS\SYSTEM32\vedxga5me3.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC786] cmd /c del "C:\WINDOWS\SYSTEM32\vedxga5me3.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe /install_sequence key="AGSBJK-XZ5MQC-GLA684-BXVHJJ-5CD5FB-2ACN" name="" email=""
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6025] command /c del "C:\WINDOWS\SYSTEM32\vedxga1me4t1.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD417] cmd /c del "C:\WINDOWS\SYSTEM32\vedxga1me4t1.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9949] command /c del "C:\WINDOWS\SYSTEM32\vedxg4am1et2.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9033] cmd /c del "C:\WINDOWS\SYSTEM32\vedxg4am1et2.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5625] command /c del "C:\WINDOWS\SYSTEM32\vedxga4m1et4.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2471] cmd /c del "C:\WINDOWS\SYSTEM32\vedxga4m1et4.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4509] command /c del "C:\WINDOWS\SYSTEM32\vedxga5me3.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD392] cmd /c del "C:\WINDOWS\SYSTEM32\vedxga5me3.exe_tobedeleted"
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - Global Startup: winlogin.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176317074171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175213386296
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.qalt.net/Remote/msrdp.cab
O21 - SSODL: JQYacrO - {14EE8B4B-BE44-21E1-09B6-D986540D4877} - C:\WINDOWS\system32\wmhf.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe (file missing)
O23 - Service: F-PROT Antivirus for Windows system (fpavserver) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.geocities.com/vergara_fan/image9.jpg
O24 - Desktop Component 1: (no name) - http://www.geocities.com/vergara_fan/image6.jpg

--
End of file - 8156 bytes



HELP !!!! ???? !!!!!!

Edited by pyxlb0mb, 17 June 2008 - 11:11 AM.


BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 22 June 2008 - 11:27 AM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

I'm afraid I have unpleasant news for you. You have been infected by Troj/Bckdr-QNZ. This infection allows outsiders complete access to every keystroke, account, and password you use while on this machine.

IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. If that's the case, you could be subject to another attack or takeover as soon as you reconnect to the internet, even after removal of the infection.

The decision whether to reformat or not should be based on what you use the computer for. If the computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any applications (programs) or executable files (.dll, .exe, .scr, .bat, .cmd, .vbs, .sys). Those should be reinstalled from the original CD's or websites.
  • If you have used this computer for shopping, banking, or any transactions relating to your financial well being, call all of your banks, credit card companies and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords - for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

In your next reply, let me know how you want to proceed.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 27 June 2008 - 11:22 AM

Due to inactivity this topic will be closed.

If you need help please start a new thread and post a new HijackThis log.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users