Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lose Internet Connection When Sending Mail


  • This topic is locked This topic is locked
8 replies to this topic

#1 rui.rojo

rui.rojo

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 29 September 2008 - 11:45 PM

I lose internet connection when sending mails, until i just have to reboot... or at least, i lose connection when sending mails from gmail with attachment. I've sent mail without attachment from hotmail and works fine. haven't tried any other variation yet..
Malwarebytes, spybot, eset, don't find anything, i seem to be clean. Here's my hijackthis log...
First time using this :thumbsup:
also, many times, when browsing in any browser, it fails to load some pages instantaneously, and succeeds it if i refresh.
Here goes my loooooog.
Ah, and some days ago, who knows what was I installing, the bluetooth thing stopped finding my cell phone. I haven't tried any other bluetoth device, but i think its not likely that the probem is from my cell. I reinstalled the drivers several times, from the cd cause i can't find them anywhere, and it still doesn't work. Currently drivers are not even installed i think.
i'm not sure in which things you can help with this log, but any help or tip, related or unrelated with these problems, is welcome and appreciated :)


Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe
C:\Archivos de programa\Babylon\Babylon-Pro\Babylon.exe
C:\Archivos de programa\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedhlp.exe
C:\Archivos de programa\ESET\ESET Smart Security\egui.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\Archivos de programa\gAlwaysIdle\gidle.exe
C:\Archivos de programa\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Archivos de programa\Druide\Antidote\Gestionnaire Antidote.exe
C:\Archivos de programa\DAEMON Tools Lite\daemon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Archivos de programa\Archivos comunes\VideoMate\ComproSchedulerDTV.exe
C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedul2.exe
C:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
C:\ARCHIV~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\Archivos de programa\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Archivos de programa\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
C:\Archivos de programa\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\ARCHIV~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Archivos de programa\Malwarebytes' Anti-Malware\mbam.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Archivos de programa\uTorrent\uTorrent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARCHIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Archivos de programa\Copernic Desktop Search 2\DesktopSearchBand203000030.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Archivos de programa\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Archivos de programa\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [FastCache] C:\Archivos de programa\AnalogX\FastCache\fc.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Archivos de programa\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [OutpostMonitor] C:\ARCHIV~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [00LOCK] "C:\WINDOWS\System32\rundll32.exe" user32.dll, LockWorkStation
O4 - HKLM\..\Run: [gidle] "C:\Archivos de programa\gAlwaysIdle\gidle.exe"
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Archivos de programa\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Archivos de programa\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Archivos de programa\Druide\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Archivos de programa\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Archivos de programa\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Archivos de programa\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office Outlook.lnk = C:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE
O4 - Startup: µTorrent.lnk = C:\Archivos de programa\uTorrent\uTorrent.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: ComproSchedulerDTV.lnk = ?
O8 - Extra context menu item: Translate with &Babylon - res://C:\Archivos de programa\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Archivos de programa\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: Correcteur - {F7C8E5F6-B6D1-45db-8D91-2BCFA5DF11A9} - C:\Archivos de programa\Druide\Antidote\Internet Explorer\7\Antidote K - IE 7.htm (HKCU)
O9 - Extra button: Dictionnaires - {F9B969E8-58D0-4dd9-AC8A-EE2336FF8F65} - C:\Archivos de programa\Druide\Antidote\Internet Explorer\7\Antidote D - IE 7.htm (HKCU)
O9 - Extra button: Guides - {FA089E36-3F1B-4c51-9A1A-C4E7012483AF} - C:\Archivos de programa\Druide\Antidote\Internet Explorer\7\Antidote G - IE 7.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217138307937
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB9438F-B43F-4258-8B0E-845F5FBDA1BB}: NameServer = 200.63.155.196,192.5.5.241
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 127.0.0.1
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 127.0.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARCHIV~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedul2.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\ARCHIV~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Archivos de programa\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Archivos de programa\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe

Attached Files



BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:08 PM

Posted 09 October 2008 - 03:47 PM

:thumbsup: to BleepingComputer.com

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
If you would still like help, please follow the instructions below:

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 rui.rojo

rui.rojo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 11 October 2008 - 08:06 AM

Here it is ;)

Attached Files



#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:08 PM

Posted 11 October 2008 - 06:11 PM

Hello, rui.rojo .
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 rui.rojo

rui.rojo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 11 October 2008 - 07:56 PM

thanks...
well, i'll try to clean it and check afterwards if everything seems to work fine... If necessary, i think i have some disk image of acronis trueimage stored, maybe can help...
Just letting you know in case those "backdoors" are harmless, I access this pc with windows remote desktop, and i use ftp filezilla server to access my files too...
Rui

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:08 PM

Posted 12 October 2008 - 01:06 PM

Hello, rui.rojo .

thanks...
well, i'll try to clean it and check afterwards if everything seems to work fine... If necessary, i think i have some disk image of acronis trueimage stored, maybe can help...
Just letting you know in case those "backdoors" are harmless, I access this pc with windows remote desktop, and i use ftp filezilla server to access my files too...
Rui


That could present a problem. Several tools pull internet access while they run on purpose on the target machine. I'll do my best, but know that this limits our recovery options :thumbsup:
Luckily it does not appear that what's here will be too difficult to remove.

I don't think the internet connection failure while sending mail is malware related, however. Since it's limited to a single website, issues like that are most often caused by the mail service, not by your machine. In other words, it's probably Gmail's problem. But we'll clean what's here :)

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    J:\Programas\Tv tuner\SageTV v5.0.4.92.rar
    C:\sqmdata??.sqm
    C:\sqmnoopt??.sqm
    :commands
    [EmptyTemp]
    :reg
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • OTMoveIt3's Log
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 rui.rojo

rui.rojo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 October 2008 - 09:47 AM

Done.
Eset found nothing

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3519 (20081013)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=f417907c9b5d654bb4dbe2952fc949eb
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-14 06:09:27
# local_time=2008-10-14 03:09:27 (-0300, Hora est. de Sudamérica E.)
# country="Argentina"
# osver=5.1.2600 NT Service Pack 3
# scanned=1151258
# found=0
# scan_time=12764
# nod_component=V3 Build:0x30000000 ()


Here's the other one

========== FILES ==========
J:\Programas\Tv tuner\SageTV v5.0.4.92.rar moved successfully.
C:\sqmdata00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmdata04.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\sqmnoopt04.sqm moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Rui\CONFIG~1\Temp\etilqs_rLrCHrm74mfLDuTgvAiL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Rui\CONFIG~1\Temp\Perflib_Perfdata_6ac.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6e8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10132008_173323

Files moved on Reboot...
File C:\DOCUME~1\Rui\CONFIG~1\Temp\etilqs_rLrCHrm74mfLDuTgvAiL not found!
File C:\DOCUME~1\Rui\CONFIG~1\Temp\Perflib_Perfdata_6ac.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_6e8.dat not found!
C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Rui\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\ptla4w5d.default\XUL.mfl moved successfully.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:08 PM

Posted 14 October 2008 - 02:15 PM

Hello, rui.rojo .
Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware


We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:08 PM

Posted 16 October 2008 - 07:51 PM

Hello, rui.rojo .
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users