Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Compromised E-mail, odd icons in taskbar


  • This topic is locked This topic is locked
21 replies to this topic

#1 scarlettudor

scarlettudor

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 20 December 2009 - 10:54 AM

I just got a 'hand me up' of my daughter's old Dell. I think it is a 2007 because the Microsoft Word is dated that year. (And what a problem that program is! But I digress...)

I've been enjoying her speedier computer for about a month. I sent out a group email a few days ago. Next day, I got a message from Dell that my mailbox had been compromised or hacked into or something. I've never seen such a message on my old computer in almost 10 years.

At first, I couldn't get into my yahoo mailbox at all. However, I ran a few scans and it started letting me in, but sometimes very slowly. I also got another Dell message saying it had been compromised.

So, I'm using my yahoo mail box, but with difficulty sometimes. I downloaded HijackThis and ran a scan. Would you all please look at the results and tell me what I have to do?

I'm still running AVG free. I've gotten messages for about a month that was to be discontinued 12-18 and you had to pay. But my security seems to still be functioning.

I do notice that I have 2 totally new buttons on my toolbar, that I didn't request. They are 'MemTurbo' and 'Check PC for errors.' Maybe they were part of Hijack? I think they showed up before I d/l'ed that, though.

Thanks so much for any help.

Change title to more descriptive one. ~ OB

Edited by Orange Blossom, 20 December 2009 - 11:09 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:03 PM

Posted 20 December 2009 - 11:08 AM

Hello,

The Windows Office version has no relation to the Operating System version. To find out what version of Windows you have, right click on the My Computer icon, then click on Properties. If the General tab is not on top, click on it so that it is. There you can see what version of Windows you have.

I am moving this topic to the Am I Infected forum for you. We have other tools at our disposal than HiJack This which we prefer to use first.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 roadclosed

roadclosed

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 20 December 2009 - 11:41 AM

To help members help you, some basic computer infomation would be useful.
Can you please look at the HJT Log you created and then select just the very top portion
( as per this example below)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:34 AM, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal


This information will let us know your Windows version and how up to date with Security Patches it is;members can then know what programs can be run on the computer to help clean it .



I'm still running AVG free. I've gotten messages for about a month that was to be discontinued 12-18 and you had to pay. But my security seems to still be functioning.


Do you know which version of AVG you are running ? If you are running an older version it may appear to still function but will not have the up- to- date definitions and will not therefore be correctly protecting the computer


This
http://www.memturbo.com/
Is what the Memturbo program is and from its supported Platforms,

MemTurbo™ 4 for Windows 98, Me, 2000, XP and 2003

suggests you COULD be running any of those Windows versions on the computer and, of concern is, if it still has AVG antivirus version 7.5 on it . If it does you are definitly NOT protected by that antivirus program as it was withdrawn some while ago .

If you can let us have the requested information we can see what programs we can suggest you run on the machine to try to clean it .

#4 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 20 December 2009 - 11:44 PM

Thank you all already, for several new things you've taught me.

My computer has XP 2002 on it.

This is the top part of the HijackThis can I did:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:26 AM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

The AVG I'm running is the free 8.5.

#5 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 21 December 2009 - 11:22 AM

I hope to hear from you guys soon as to what to do to clean my computer up from whatever was done to it by someone hacking into my yahoo account.

I just got an obvious spam purportedly by a friend whose name is in my address book. It's awkwardly worded, like from someone for whom English is not their native language.

ARRRGGGHHHHHHH!!

What can I do to get rid of whatever they put on my computer? What can I do for better security? Is everyone in my mailbox address book likely to be affected?

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 25 December 2009 - 03:22 PM

Hello again.

Sorry for the delay. I want to get a GMER scan from you please.

Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 27 December 2009 - 03:51 PM

Hello, again! Thank you so much for your help. I haven't been back after your suggestion, because of family visiting and a lot going on.

However, I did get time to upload GMER and run a scan. The first time, it crashed. Second time, I did it in safe mode and got one rootkit notification.

I didn't see a save button and I was unable to copy and save, so I just wrote it down:

AttachedD\FileSystem\Fastfat\Fat

f/tmgr.sys (Microsoft FileSystem).

Should I delete and how, safely?

Edited by scarlettudor, 27 December 2009 - 03:52 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 28 December 2009 - 11:48 AM

Hello again.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Should I delete and how, safely?

Please do NOT delete anything with GMER yourself. Not everything it reports is bad or needs attention/removal.

Then try running GMEr again and this time uncheck the Devices section too.

With Regards
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 30 December 2009 - 01:54 PM

Hello again. I didn't get notification that you'd responded, so didn't know I had a message waiting for me. I'll get on the DeFogger suggestion right away.

Meanwhile, I'm afraid to go to my banking site since my computer security may be compromised. My daughter is visiting and she's afraid to, also. Guess I'll go next door and ask my neighbor if I can borrow a cup of internet.

Anyway, I've run my AVGfree 8.5 in the last 12 hours and it came up clean except for tracking cookies, which I get all the time. I did find a virus already in the vault, along with all the cookies, and deleted it.

I ran GMER again in safe mode last night and still got the AttachedD\FileSystem\FastFat\Fat under RootKits. I also have 2 logs of stuff to report. Do you want me to copy and paste them here?

I'll get back to you as soon as I do the defogger thing.

#10 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 30 December 2009 - 02:13 PM

I just went to DeFogger but it didn't give all the prompts I expected. I clicked 'disable,' it queried and said 'yes.' Then, it said 'finished.' I said 'ok.' It didn't ask me to re-boot. I did it 3 times, hoping for some information as to whether it found and fixed something, but that was all I got.

I could run GMER again with devices unchecked. Could also give you the log I got from that last night.

PS: I found a DeFogger notepad log on my desktop. This is what it said:

<<defogger_disable by jpshortstuff (28.11.09.2)
Log created at 14:14 on 30/12/2009 (sue)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=->>

Now, I'm going to reboot.

Edited by scarlettudor, 30 December 2009 - 02:18 PM.


#11 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 31 December 2009 - 12:50 AM

One response I got from GMER included Rootkit Malware of Attached D\drive\N+fsTcpip\Device.1p

Then same except Device, udp

Same Device, Tcp

Same Device, Raw1p

But a subsequent GMER scan said it hadn't found any system modification.

I'm still chicken to go on my banking site. Had to go to my sister's house to check that nothing was suspicious there. With the last free GMER scan, would it be safe to go on?

DeFogger may have taken care of the RootKit problem?

Edited by scarlettudor, 31 December 2009 - 12:51 AM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 01 January 2010 - 01:28 PM

Hello again.

Defogger doesn't remove any rootkits but just stops CD emulators services that can sometimes conflict with certain tools we use. The scans aren't showing much and to be sure you are clean I would start a topic in the Malware Removal forum.

You can run an online scan to see if it detects anything:

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

--

1st Step: Preparation Guide Before Starting a Topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
2nd Step: Starting a Topic in the HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 04 January 2010 - 01:57 AM

I just updated my Java, then Kaspersky. However, it told me to disable any anti-virus I was running, so it wouldn't interfere. I tried to uncheck my AVG free, but it wouldn't uncheck. I couldn't disable it, so I am going ahead and running the Kaspersky. Hoping it works. Will get back to you afterwards.

#14 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 04 January 2010 - 11:35 AM

Extreme Boy suggested that I relocate my thread here. The original work he and Orange Blossom have helped me with are at http://www.bleepingcomputer.com/forums/ind...p;#entry1558713

To recap, I was told to run a GMER scan, which came up with AttachedD\FileSystem\Fastfat\Fat (fltmgr.sys Microsoft FileSystem)

Then I ran DeFogger several times. In between, I ran additional scans with my existing AVGfree 8.5. A few days ago, I came up with GMER hasn't found any system modification.

Most recently, extreme boy said the scans looked ok, but to be sure, to run Kaspersky. I tried to download that over last night, but got

<Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established.>> (My internet connection was on all night.)

I had been unable to disable my AVG before running it. It wouldn't uncheck. I guess I have to completely remove the program while I run Kaspersky, so it won't conflict? Then download it again later?

I'm going to remove my AVG before I go to work today and try to download/run Kaspersky again.

Will check with you guys to be sure this is the right next thing to do, before I go.

#15 scarlettudor

scarlettudor
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 05 January 2010 - 11:13 AM

I went ahead and deleted my AVGfree 8.5 security, so I could go run the Kaspersky. It ran last night for 5-1/2 hours.

The report said 1 infected file and 1 suspicious. I couldn't get it to pull up the infected file. I clicked the suspicious one and got that it was Exploit.HTML.codeBaseExe1. It's in my daughter's music files. This is her old computer and she's still on as a user, as well as me. I called her to get her password. It wouldn't log-in as her without one, although I thought that was the way she was set up.

Meanwhile, I'm concerned about the dangerous one (in red) that I couldn't get to come up or to save.

I'm going to put my security back on and wait to hear from you guys.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users