Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Picked Up Some Malware, Lynxtrack I Think; Need Help


  • This topic is locked This topic is locked
11 replies to this topic

#1 kevc19

kevc19

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 23 September 2008 - 09:57 AM

This has become a problem in recent days, I think I picked it up from a link in Facebook containing a video from youtube but when I arrived the address was not a YT address and I may have installed in when asked to update my Java software.

The result is when I use a search engine and click one of the results, I am redirected through several addresses and to ads. I've read through a few postings and see that there has been some good help, I've installed HiJackThis and ComboFix already and would like to know what to do next.

Thanks,

Kevin

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:25 AM

Posted 23 September 2008 - 10:04 AM

I will move you to the proper forum to start the process
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:25 AM

Posted 23 September 2008 - 07:25 PM

I've installed HiJackThis and ComboFix already and would like to know what to do next.


The HJT forum is extremely busy and backed up(that's the only place HJT logs are allowed). Don't run combofix. If you are asked to do so later in that forum they will want you to download a new copy, I would just delete that one.

Let's start with a MBAM log please

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

Edited by DaChew, 23 September 2008 - 07:27 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#4 kevc19

kevc19
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 23 September 2008 - 08:41 PM

Here is the MBAM Log:

Malwarebytes' Anti-Malware 1.28
Database version: 1200
Windows 5.1.2600 Service Pack 3

9/23/2008 9:40:34 PM
mbam-log-2008-09-23 (21-40-34).txt

Scan type: Quick Scan
Objects scanned: 45394
Time elapsed: 12 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:25 AM

Posted 23 September 2008 - 09:03 PM

http://www.bleepingcomputer.com/forums/ind...st&p=945875

this one/atfcleaner and SAS from safe mode is a little more complicated, take your time and follow the directions exactly

you might want to just do the quick scan with SAS but the complete atf cleaning

after that would you run another scan and post a smitfraudfix log

it will reset your time to military

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Chewy

No. Try not. Do... or do not. There is no try.

#6 kevc19

kevc19
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 24 September 2008 - 03:30 PM

Thanks Chewy, I've run both the AFTCleaner & SAS but the SmitfraudFix download is in German I think. Is there an english version?

Thanks again,

Kevin

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:25 AM

Posted 24 September 2008 - 03:35 PM

the file contains both English and French versions


Chewy

No. Try not. Do... or do not. There is no try.

#8 kevc19

kevc19
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 24 September 2008 - 04:08 PM

Below is the SAS & SmitFraudFix logs. I should mention that I ran the Firefox part of AFT Cleaner after generating these two logs.

Thanks again,

Kevin



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/24/2008 at 11:02 AM

Application Version : 4.21.1004

Core Rules Database Version : 3578
Trace Rules Database Version: 1566

Scan type : Complete Scan
Total Scan Time : 03:01:21

Memory items scanned : 188
Memory threats detected : 0
Registry items scanned : 5516
Registry threats detected : 0
File items scanned : 63311
File threats detected : 0


_____________________________

SmitFraudFix v2.354

Scan done at 17:01:10.31, Wed 09/24/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Trirot.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\THKem.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Symbol Commander\Sensiva.exe
C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\TinyProxy\TinyProxy.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Administrator


C:\Documents and Settings\Administrator\Application Data


Start Menu


C:\DOCUME~1\ADMINI~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Toshiba Wireless LAN Mini PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3AC76284-E38C-4031-AFE4-E970173A5C2C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3AC76284-E38C-4031-AFE4-E970173A5C2C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3AC76284-E38C-4031-AFE4-E970173A5C2C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:25 AM

Posted 24 September 2008 - 04:24 PM

according to LDTate

The infection you have is very serious.

Backdoor.Tinyproxy

http://research.sunbelt-software.com/threa...threatid=403975


I will call in an expert

Edited by DaChew, 24 September 2008 - 04:25 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:25 AM

Posted 24 September 2008 - 05:59 PM

http://www.bleepingcomputer.com/forums/ind...st&p=955454

If you would post that log for the HJT forum it would be appreciated

this may be a very new infection and needs to be addressed
Chewy

No. Try not. Do... or do not. There is no try.

#11 kevc19

kevc19
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 25 September 2008 - 01:03 AM

Thanks Chewy, I appreciate your help. I've posted the HJT log and info here:

http://www.bleepingcomputer.com/forums/t/171229/invected-with-backdoortinyproxy/

Thanks again,

Kevin

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:25 AM

Posted 25 September 2008 - 06:04 AM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic. I have already replied to your hijackthis log.

Edited by quietman7, 25 September 2008 - 06:53 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users