Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pls help! I got hacked


  • Please log in to reply
11 replies to this topic

#1 ccwsiu

ccwsiu

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 19 February 2011 - 02:20 PM

I have been targeted and harassed by a group of haters. They claimed that they hacked into my several accounts: facebook, hotmail, msn, and school.
They revealed my real GPA from my school account, and my mail content from my facebook's private mail (That happened before facebook tracked people's login).
I deleted all my mail in hotmail and started to use ebuddy via iphone for msn (i thought it would be safer?) I changed all my accounts to long difficult password in a new computer, but still couldn't stop them from hacking into my account because they said they knew i used ebuddy and said it would be easier for them to hack. I don't know if that's true. Please help! Any help/advice would be highly appreciated! I have attached my tcpview and hjackthis.log. Thanks!

Edit: Moved topic from Am I hacked? What do I do? to the more appropriate forum. ~ Animal

My hotmail, school, facebook, and msn passwords were stolen. I suspect it is due to trojan/spyware/malware.
I scaned my computer with malwarebytes, superAntispyware Free, and spyware terminator. But they couldn't catch any.
I'm using ESet NOD32 antivirus 3.0.658.0
Sometimes I have some underground thing pop up and it disappeared so quick that I couldn't see what the content is.
And the windows security alert occasionally showed a message saying that my antivirus is shut down, and the alert turns back to normal after i clicked on it and see.
Please help to remove them (esp the ones who stole my passwords)
Any help/suggestions would be highly appreciated. Thanks
PS: i also attached the DDS (attach.txt) and Gmer scripts(ark.txt)



DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 18:07:51.37 on Sat 02/19/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.77 [GMT -8:00]

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Pro Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.P4-3E.000\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
{2f364306-aa45-47b5-9f9d-39a8b94e7ef7}
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SpywareTerminator] "c:\progra~1\spywar~1\SpywareTerminatorShield.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\QTTask.exe" -atboottime
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNTA5NDc1MzEzLVQ1LVU4NSsxLUJBKzEtS1YzKzctWEwrMS1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LUY5TSsxLUY5TTdCKzUtQjItUUlYMSszLVgyMDEwKzI"&"prod=90"&"ver=10.0.1170
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &U????????? - c:\program files\namirobot\data\du.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Foxy ?? - c:\program files\foxy\Foxy.exe/download.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://whtiff.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204279346765
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204280531906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.000\applic~1\mozilla\firefox\profiles\7g8mbrnw.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\documents and settings\administrator.p4-3e.000\application data\mozilla\firefox\profiles\7g8mbrnw.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll
FF - plugin: c:\documents and settings\administrator.p4-3e.000\application data\mozilla\firefox\profiles\7g8mbrnw.default\extensions\npnami@npnami.com\plugins\npnami.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin8.dll
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - Ext: RefControl: {455D905A-D37C-4643-A9E2-F6FEFAA0424A} - %profile%\extensions\{455D905A-D37C-4643-A9E2-F6FEFAA0424A}
FF - Ext: CookieCuller: {99B98C2C-7274-45a3-A640-D9DF1A1C8460} - %profile%\extensions\{99B98C2C-7274-45a3-A640-D9DF1A1C8460}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Nami Plugin: npnami@npnami.com - %profile%\extensions\npnami@npnami.com
FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2004-10-15 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2004-10-15 5248]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-2-5 11608]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-2-12 141312]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-10-14 353680]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-5 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-5 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-5 61960]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-5-22 468240]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 EzInstall;EzInstall;\??\e:\ezinstall\ezinstall.sys --> e:\ezinstall\EzInstall.sys [?]
S3 jswmidin;jswmidin;\??\c:\docume~1\admini~1.000\locals~1\temp\jswmidin.sys --> c:\docume~1\admini~1.000\locals~1\temp\jswmidin.sys [?]
S3 OEMFVNETusb(505_2958)®;OEM FVNETusb(505_2958)® Service for 802.11b Pen Size Wireless USB Adapter;c:\windows\system32\drivers\vnet558x.sys [2004-11-4 102144]
S4 Aumddmpfnstp;Aumddmpfnstp; [x]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-1 297752]

=============== Created Last 30 ================

2011-02-07 06:17:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-07 06:17:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-07 06:17:15 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-02-07 01:06:44 -------- d-----w- c:\docume~1\admini~1.000\applic~1\Avira
2011-02-06 05:53:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-06 05:53:03 -------- d-----w- c:\program files\Avira
2011-02-06 05:53:03 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Avira
2011-01-21 06:42:45 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc13C4.tmp

==================== Find3M ====================

2004-03-11 20:27:22 40960 -c--a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 18:10:13.73 ===============

EDIT: Topics and posts merged ~BP

EDIT: tcpview.txt file removed at OP's request ~BP

Attached Files


Edited by Budapest, 24 February 2011 - 01:33 AM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:45 AM

Posted 23 February 2011 - 07:28 PM

Hi,

Your post is a few days old. I dont see much out of place, the tcpview out put is nothing to worry about. If you still need help post back.

How Can I Reduce My Risk to Malware?


#3 ccwsiu

ccwsiu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 23 February 2011 - 09:23 PM

Hi I think i still need help to remove possible malwares that stole my passwords
And i have attached the new tcp view cos i saw a strange process called "non-existent" ( in the first line of the report)
Please help! thanks

Attached Files

  • Attached File  tcp.txt   5.06KB   5 downloads


#4 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:45 AM

Posted 24 February 2011 - 06:49 PM

hi,

looks like the tcpview txt was removed. somebody knowing your ip isnt really anything to worry about. First in order to actually be hacked you would have to have a vulnerability on your computer as some 'inside help'. Its a myth that any computer can be hacked, its not true. Second the hacker would have to know that you have a vulnerability on your computer and know how to exploit the vulnerability. Third they would have to be a very very skilled hacker to actually carry it out.

I believe you are seeing

"non-existent"

because the tcp/ip transmission protocol isnt completely finished closing yet. It goes through a standard procedure when establishing and closing a connection. The log can show different 'states' of the transmisson. Thats my take on it anyway

We will get a download to use. Its called combofix. Please read through the guide first, then apply the directions on your own machine. Post the combofix log in your reply


Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 ccwsiu

ccwsiu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 25 February 2011 - 01:22 AM

Thanks for your reply and help!
I started running combofix, but it said i needed to uninstall AVG which I removed last year.
So I googled and used AVG remover to try to remove AVG completely. But the remover stops in "running AVG process" for an hour
No luck at all ! :wacko:

#6 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:45 AM

Posted 25 February 2011 - 06:06 PM

Try running the AVG uninstaller in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list; safe mode. Once at the safe mode desktop run the uninstaller. If it goes ok reboot computer normally then back at the normal desktop run combofix. If the AVG uninstall dosnt work for some reason then go ahead and run combofix while you are in safe mode. Save the log, reboot normally and post the log.

How Can I Reduce My Risk to Malware?


#7 ccwsiu

ccwsiu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 27 February 2011 - 12:53 AM

Thanks for your help!
I ran AVG remover in safe mode and combofix in normal mode
I've attached the combofix log with this reply
in the log, I saw something were deleted and some locked registry.
is that because of malwares?

Attached Files



#8 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:45 AM

Posted 27 February 2011 - 08:42 AM

we will use combofix to remove a item:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
Driver::
jswmidin
Aumddmpfnstp

File::
c:\docume~1\ADMINI~1.000\LOCALS~1\Temp

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved (CFScript.txt) and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

Those locked keys arent anything to worry about. I hope your not using the tor network to run bit comet, thats not what it was intended for, if thats the case.
you can do a online scan also:

ESET online scanner:


http://www.eset.com/onlinescan/

Use Internet Explorer

check "YES" to accept terms

click start button

allow the ActiveX component to install

click the start button. the Scanner will update.

check both "Remove found threats" and "Scan archives" Leave the defaults checked under Advanced settings

click scan. When it completes click "List found threats"

click "Export to text file.." and save it to your desktop. Post the saved log.

Click "back" and "finish"

How Can I Reduce My Risk to Malware?


#9 ccwsiu

ccwsiu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 27 February 2011 - 06:16 PM

Hi I've done scanning with combofix and eset online scanner
i've attached the logs, but i couldn't save the eset's
the eset one says there's no threat
And I never use Tor although i downloaded it. I know it's for website
Thanks!

Attached Files



#10 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:45 AM

Posted 27 February 2011 - 08:57 PM

hi,

That all looks good. Looks like you have two AV installed, Antivir and Eset. More is not better in this case. You only need one resident AV on a computer. I would remove one via the add/remove programs panel. You can remove combofix like this;
start>run and type in:
combofix /uninstall
click ok or enter
note the space after the x and before the /

You can make a new restore point. The how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.



To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK, then reboot


Last: You mentioned that you have changed passwords before. Since we did remove some malware you might consider changing them again. Why, because some malware can be in the form of password stealers or keyloggers etc. I cant say that this is what your malware was but changing passwords wont do any good if you still have the malware on your machine. Some guidelines:



At least fifteen (15) characters in length.
Does not contain your user name, real name, organization name, family member's names or names of your pets.
Does not contain your birth date.
Does not contain a complete dictionary word.
Is significantly different from your previous password.


Should contain three (3) of the following character types.

Lowercase Alphabetical (a, b, c, etc.)
Uppercase Alphabetical (A, B, C, etc.)
Numerics (0, 1, 2, etc.)
Special Characters (@, %, !, etc.)



If all is good, some tips for you;


10 Tips for Prevention and Avoidance of Malware:

There is no reason why your computer can not stay malware free.


No software can think for you. Help yourself. In no special order:


1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.


2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.


3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.


4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.


5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.


6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?


7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.


8) Install and understand the *limitations* of a software firewall.


9) A slide show how to for securing Internet Explorer 8.0 for safer surfing. How to harden FireFox. for safer surfing.


10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


More info/tips with pictures, links below

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#11 ccwsiu

ccwsiu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 27 February 2011 - 10:22 PM

I've reset my system restore
When i clicked on combofix before, it asked me to update combofix
It stated the file was corrupted after the update. I ended up downloading the combofix again from bleeping.com.
I wonder if that's normal?
thanks for all your help

#12 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:45 AM

Posted 01 March 2011 - 07:19 PM

Combofix can check for and download updates if there are any before actually running. Maybe you got a bad download, thats why it was corrupt?

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users