Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware & arp poisoning attack..


  • Please log in to reply
1 reply to this topic

#1 mt2009

mt2009

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 21 November 2008 - 05:44 AM

Hi guys, Im new here.. i know this site from my friend that ever have a

problem solved before.. Glad to be here. :thumbsup:
I recently had some virus problems. after rebuild my security software

combination & do a scan most of the virus & spyware seem to be cleared up.
but i'm not sure because when i start browsing some site & i always see

list of the connection being made by IE to ip other than the site i browsed

(i feel like being spied). also my Computer running with a little lag

lately. btw, i ever got ARP Poisoning Attack (Man in the middle) many of my

account password have been stolen.. how to counter attack this?.. i'm using

comodo firewall now but from Matousec's Firewall challange, comodo can't

counter sniffing attack.. one of my friend said if i using https, my

password will be encrypted even its sniffed..is that ryte?

Here's my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:47 PM, on 11/21/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Comodo\SecureEmail\ComodoSE.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Comodo\SecureEmail\ComodoSE.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\YPOPs\ypops.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

file://c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

file://c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 

'Full Speed' Enabled <<<
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 

Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program 

Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-

C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - 

C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-

5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows 

Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvSvc] "C:\Windows\system32\RUNDLL32.EXE" 

C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "C:\Windows\system32\RUNDLL32.EXE" 

C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "C:\Windows\system32\RUNDLL32.EXE" 

C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog 

Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program 

Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition 

Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download 

Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program 

Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows 

Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe 

oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows 

Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!

\Widgets\YahooWidgets.exe
O4 - Startup: YPOPs.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions 

present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel 

present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions 

present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel 

present
O8 - Extra context menu item: Download all links with IDM - C:\Program 

Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - 

C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet 

Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - 

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} 

- C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-

5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - 

C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-

6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - 

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - 

C:\Program Files\Lenovo\VeriFace\OpenWnd.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\cemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cemlsp.dll
O13 - Gopher Prefix: 
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - 

http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - 

C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl 

Class) - 

http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogW

ebControl.cab?1202142992634
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility 

Class) - 

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 

1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0-windows-

i586.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient 

Class) - 

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) 

- http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{538B46FE-9F1C-493D-B4FE-

F4C741209D5A}: NameServer = 202.59.201.201,202.59.201.202
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - 

C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - 

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: oepl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program 

Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - 

C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler 

(AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir 

PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard 

(AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir 

PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown 

owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision 

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 

32\IDriverT.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program 

Files\Sandboxie\SbieSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - 

C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - 

C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program 

Files\ThreatFire\TFService.exe

--
End of file - 9781 bytes

Any help appreciated..

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:07 PM

Posted 06 December 2008 - 08:22 AM

Hello mt2009

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users