Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijacked email address


  • Please log in to reply
16 replies to this topic

#1 justjeff0331

justjeff0331

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 24 July 2011 - 05:25 AM

I have 2 yahoo email account not linked, when I opened one I see a email sent from my other one which I knew I did not send an seen it had also been sent to a few people that are in my address book. clicked on it to open and see what I had sent and AVG blocked it saying it was a security threat, then I clicked on further info which took me to AVG virus library and I searched for exploit pharmacy spam site which was the name of the virus AVG was saying and got nothing. then went to my other yahoo account looked in my sent folder nothing there went to my inbox and there was another email sent to me from the account that i was in and seen it had also sent emails to more people in my address book. Not sure what info you will need, but here is the basics-

win xp pro
version 2002
service pack 3
AVG anti-virus free edition 2011

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 24 July 2011 - 01:52 PM

Let's clarify.
Account #1 is affected sending spam emails.
Are those spam emails present in "Sent" folder?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 justjeff0331

justjeff0331
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 25 July 2011 - 01:49 AM

Yes, #1 infected and sending spam email's
No, nothing in sent folder
and thought this strange but got a email from #1 account to #1 account did not know you could do that. I have not erased either of the 2 spam emails in case you need full headers. Updated and ran a full scan with AVG anti-virus free edition 2011, found nothing.

#4 justjeff0331

justjeff0331
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 25 July 2011 - 02:55 AM

More info, I changed my password for account #1 and saw that I could check recent log in activity and when I checked I seen this -

Jul 23, 2011 3:45 PM Yahoo! Mobile Logged In Argentina
Jul 23, 2011 3:45 PM Yahoo! Mobile Logged In Argentina

and this -
Jul 22, 2011 12:49 PM Yahoo! Mobile Logged In Venezuela
Jul 22, 2011 12:49 PM Yahoo! Mobile Logged In Venezuela

which are not me.

clicked on the more info and seen a recent question -

Spam is being sent to my contacts from my Y! email account
Last Updated: February 23, 2011 Text Size:


Some users have reported that their contacts received spam that originated from from their Yahoo! email account. This issue has been affecting multiple email providers with the spam containing a URL soliciting prescription medicine.
If you've experienced this issue, we strongly believe your account has been compromised and was used by an unauthorized third party to send spam or fraudulent emails to your contact list.
Please change your Password. By changing your password immediately, you quickly minimize the resulting risk for your Yahoo! account. For help selecting a strong password and/or safeguarding it against misuse, please review the tips posted in the password section of the Yahoo! Security Center.
We also suggest you perform a virus scan on your computer(s) if you haven't already done so.

One more thing do not know if it related to all this or not but I have a yellow triangle with a ! in it over my AVG icon in my notification area (lower right hand side by time) when I put mouse over it, it sez what it always sez "AVG Anti-Virus Free Edition 2011"

Edited by justjeff0331, 25 July 2011 - 02:55 AM.


#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 25 July 2011 - 06:59 PM

No, nothing in sent folder

Most likely, it's not you sending those emails.
Someone's else infected computer, which has your address in their address book must be used for sending those emails.

I suggest, you change a password on your account #1. If spam will still be happening, that would confirm my above statement.

We can check your computer as well.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 justjeff0331

justjeff0331
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 26 July 2011 - 05:48 AM

Most likely, it's not you sending those emails.
Someone's else infected computer, which has your address in their address book must be used for sending those emails


That sounds possible because I have seen emails from a couple of people that I am in their address book with a subject about viagra, except for those 2 log-in's in south america which match the times that i received the spam emails myself. Maybe you did not notice but in my last post that is what I did or said that I done was went and changed my password on account #1.

Her are all the logs you asked for-


Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG 2011
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Out of date HijackThis installed!
HijackThis 1.99.1
Java™ 6 Update 22
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 9.0.124.0
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````



MiniToolBox by Farbar
Ran by Administrator (administrator) on 25-07-2011 at 22:28:38
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp

# Interface IP Configuration for "Local Area Connection 3"

set address name="Local Area Connection 3" source=dhcp
set dns name="Local Area Connection 3" source=dhcp register=PRIMARY
set wins name="Local Area Connection 3" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : experien-2995f1 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : ph.cox.netEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : ph.cox.net Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC Physical Address. . . . . . . . . : 00-40-CA-4C-FA-F3 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 70.162.173.153 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 70.162.173.1 DHCP Server . . . . . . . . . . . : 172.19.73.43 DNS Servers . . . . . . . . . . . : 68.105.28.11 68.105.29.11 68.105.28.12 Lease Obtained. . . . . . . . . . : Monday, July 25, 2011 10:55:22 AM Lease Expires . . . . . . . . . . : Tuesday, July 26, 2011 10:55:22 AMEthernet adapter Local Area Connection 2: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : D-Link DFE-530TX+ PCI Adapter Physical Address. . . . . . . . . : 00-11-95-21-64-C2Ethernet adapter Local Area Connection 3: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Intel® PRO/100 S Desktop Adapter Physical Address. . . . . . . . . : 00-0E-0C-66-A1-5AServer: cdns1.cox.net
Address: 68.105.28.11

Name: google.com
Addresses: 74.125.91.147, 74.125.91.99, 74.125.91.103, 74.125.91.104
74.125.91.105, 74.125.91.106

Pinging google.com [74.125.91.105] with 32 bytes of data:Reply from 74.125.91.105: bytes=32 time=87ms TTL=53Reply from 74.125.91.105: bytes=32 time=86ms TTL=53Ping statistics for 74.125.91.105: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 86ms, Maximum = 87ms, Average = 86msServer: cdns1.cox.net
Address: 68.105.28.11

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43

Pinging yahoo.com [69.147.125.65] with 32 bytes of data:Reply from 69.147.125.65: bytes=32 time=93ms TTL=56Reply from 69.147.125.65: bytes=32 time=92ms TTL=56Ping statistics for 69.147.125.65: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 92ms, Maximum = 93ms, Average = 92msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 40 ca 4c fa f3 ...... Realtek RTL8139/810x Family Fast Ethernet NIC
0x10004 ...00 11 95 21 64 c2 ...... D-Link DFE-530TX+ PCI Adapter
0x10005 ...00 0e 0c 66 a1 5a ...... Intel® PRO/100 S Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 70.162.173.1 70.162.173.153 20
46.107.100.145 255.255.255.255 70.162.173.1 70.162.173.153 20
70.162.173.0 255.255.255.0 70.162.173.153 70.162.173.153 20
70.162.173.153 255.255.255.255 127.0.0.1 127.0.0.1 20
70.255.255.255 255.255.255.255 70.162.173.153 70.162.173.153 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 70.162.173.153 70.162.173.153 20
255.255.255.255 255.255.255.255 70.162.173.153 10004 1
255.255.255.255 255.255.255.255 70.162.173.153 70.162.173.153 1
255.255.255.255 255.255.255.255 70.162.173.153 10005 1
Default Gateway: 70.162.173.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (07/24/2011 10:56:38 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
oahlpXX

Error: (07/24/2011 07:28:43 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
oahlpXX

Error: (07/22/2011 03:52:50 PM) (Source: 0) (User: )
Description: \Device\Harddisk3\D

Error: (07/22/2011 03:52:14 PM) (Source: 0) (User: )
Description: \Device\Harddisk3\D

Error: (07/22/2011 03:52:12 PM) (Source: 0) (User: )
Description: \Device\Harddisk3\D

Error: (07/22/2011 03:52:09 PM) (Source: 0) (User: )
Description: \Device\Harddisk3\D

Error: (07/22/2011 03:52:08 PM) (Source: 0) (User: )
Description: \Device\Harddisk3\D

Error: (07/22/2011 03:52:05 PM) (Source: 0) (User: )
Description: \Device\Harddisk3\D

Error: (07/22/2011 03:51:51 PM) (Source: 0) (User: )
Description: \Device\Harddisk3\D

Error: (07/22/2011 03:51:50 PM) (Source: 0) (User: )
Description: \Device\Harddisk3\D


Microsoft Office Sessions:
=========================

========================= Memory info: ===================================

Percentage of memory in use: 45%
Total physical RAM: 991.49 MB
Available physical RAM: 541.24 MB
Total Pagefile: 2388.57 MB
Available Pagefile: 1939.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.84 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:148.91 GB) (Free:19.86 GB) FAT32
3 Drive d: () (Fixed) (Total:74.52 GB) (Free:36.72 GB) NTFS
5 Drive f: () (Fixed) (Total:12.62 GB) (Free:2.39 GB) NTFS
6 Drive g: () (Fixed) (Total:15.33 GB) (Free:12.59 GB) NTFS

========================= Users: ========================================

User accounts for \\EXPERIEN-2995F1

Administrator Guest HelpAssistant


== End of log ==


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7279

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/26/2011 2:22:55 AM
mbam-log-2011-07-26 (02-22-55).txt

Scan type: Quick scan
Objects scanned: 142281
Time elapsed: 6 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\my documents\downloads\smartdownload.exe (Adware.Casino) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\my documents\downloads\smartdownload (1).exe (Adware.Casino) -> Quarantined and deleted successfully.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-26 03:06:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD1600BB-56GUC0 rev.20.02H20
Running: pif85n2w.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwryqaow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF7A10738]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF7A107DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7A10878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF7A10914]

---- Kernel code sections - GMER 1.0.15 ----

? idcf.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----


One more question for you, on the mini tool box I am assuming or pretty sure that- Report IE Proxy Settings
Report FF Proxy Settings - stands for Internet explorer and firefox, don't know if this makes a difference or not but I almost exclusivly use google chrome as my browser unless I have to use ie.

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 26 July 2011 - 06:51 PM

One more question for you, on the mini tool box I am assuming or pretty sure that- Report IE Proxy Settings
Report FF Proxy Settings - stands for Internet explorer and firefox, don't know if this makes a difference or not but I almost exclusivly use google chrome as my browser unless I have to use ie.

That's fine.

MBAM removed some items, but nothing serious.

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 justjeff0331

justjeff0331
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 27 July 2011 - 06:59 PM

I messed up a little bit, downloaded eset updated it then started it and went to sleep when I got up in the morning must have hit the wrong button and deleted all of it. So I downloaded again, updated and started the scan again then went to work. now when I got home got the log file saved like I should have, but have this question on the first running of eset I had error's and then again on the second running of eset I had error's also. should'nt the first running of eset had removed them?
another thing do not know if this matters or not or if you are aware of this, but the longest I can temp. disable AVG is 15 min. and the scan took a lot longer than this to finish, so after 15 min. AVG starts back up, would this effect the eset scan? I did'nt have any messeges from AVG saying it took any actions.

Just noticed I got a problem sure hope you can help me with, it erased my program or at least made it not work and that is mighty slots where I have real money and need to be able to access and I tried to re install program with no luck keeps saying can't run because it can not find casino.dll or something like that.


C:\Program Files\Slot Nuts\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Mighty Slots\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Mighty Slots\Install.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\99 Slot Machine\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Plenty Jackpot\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Cool Cat Casino\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Slots Inferno\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Slots Inferno\Install.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\HighNoon Casino\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\WinPalace\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Slots Jungle Casino\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Real Vegas Online\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Box24\Loader.exe Win32/RubyRoyal application cleaned by deleting - quarantined
C:\Program Files\CasinoRoyalClub\Loader.exe Win32/RubyRoyal application cleaned by deleting - quarantined
C:\Program Files\Silver Oak Casino\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\CaptainJack Casino\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Slots of Vegas\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\Program Files\Vegas Strip\casino.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP9\A0007724.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP11\A0007746.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP12\A0007874.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP13\A0007920.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP14\A0008802.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP16\A0008884.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP17\A0008927.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP22\A0010208.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP23\A0010266.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP28\A0012791.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014855.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014856.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014857.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014858.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014859.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014860.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014861.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014862.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014863.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014864.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014865.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014866.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014867.exe Win32/RubyRoyal application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014868.exe Win32/RubyRoyal application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014869.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014870.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014871.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1F7C696C-77C7-43BD-8D9C-13E2CD1A7F9F}\RP31\A0014872.dll a variant of Win32/CasOnline application cleaned by deleting - quarantined
D:\WINDOWS.0\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined

Edited by justjeff0331, 27 July 2011 - 07:13 PM.


#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 27 July 2011 - 08:41 PM

Unfortunately for reasons known probably to AVG makers only, disabling it for 15 minutes is the best you can do.

I'm sorry about your casino game. It looks like Eset read those files as a threat.
Did you try to dequarantine those casino files?
They're located in C:\Program Files\Eset Online Scanner\Quarantine folder.

You can do it manually, or you can re-run Eset and at step 4 you'll see this:

Posted Image

Click on "Manage quarantine".

Edited by Broni, 27 July 2011 - 08:43 PM.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 justjeff0331

justjeff0331
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 28 July 2011 - 02:43 AM

I'm sorry about your casino game. It looks like Eset read those files as a threat.
Did you try to dequarantine those casino files?
They're located in C:\Program Files\Eset Online Scanner\Quarantine folder.


I can find the folder easy enough, though havent a clue on how to un quarantine them and doing a google search for last 2 hours found out that 1. I am not the only person to have known safe files quarantined 2. Like I said after 2+ hours of googling still not even close to finding out how to do this. 3. All the while for the last 2+ hours have been running eset online scanner again to try other method, it takes many hours for this to run.

This is the first time I have ever had any kind of problems from any advice I have gotten here at bleeeping computer and do not take this wrong I am not upset in the least bit, maybe frustrated a little, but understand this happens. What I would like to try and do is some how through all this is help everybody that use's this forum and gives advice on here as to what went wrong and maybe how to fix easier or avoid all together. Now while I am not 100% sure of this but have been using these casino's for many years now with no problems and I think that the casinos go above and beyond in keeping bugs out of their software for if they did not they would have no buisness. like I said I am not postive about this but I will ask thier support teams about this and see what they have to say.

-update- I figured I would finish running the eset when i went to sleep seeing how after 2 hours it was only 11% done. Hit the stop button and seen the manage quarntine button figured what do I have to loose clicked on it and there were all my files so I restored them, and it worked. So now wondering 1. how long did I need to run it to do this and 2. was it just my casino apps it removed, that is what it looks like to me but I am not a expert. 3. These appear to be what they call false postive's, it there a site to submit these to improve the freeware.

Thanks for all the help as usual you guys are great.

Edited by justjeff0331, 28 July 2011 - 02:53 AM.


#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 28 July 2011 - 04:01 PM

I'm glad to see happy ending, but I'm not really sure if we're talking here about false positive.
Eset removed some files, which were classified as Win32/CasOnline application.
It may be potentially malicious.
See Google search: http://www.google.com/search?q=Win32%2FCasOnline&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-GB:official&client=firefox-a
See McAfee info about it: http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=195362

I suggest....

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Program Files\Mighty Slots\casino.dll
- C:\Program Files\Slot Nuts\casino.dll
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 justjeff0331

justjeff0331
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 29 July 2011 - 06:22 AM

I suggest...


please don't get the wrong idea, you are the expert, so keep telling me what I need to do and I will do, if I need to get rid of all those casino app's then I will. I have complete confidence in you and if something goes a little awry I have no doubt that if I can't get it back on track you will be able to.

back to the task at hand. don't know if i did something wrong or not but virustotal has been running now “queued” for over 5 hours after starting the Reanalyse. What I think might be wrong is when choosing file I went to c/programs/mightyslots then hit open and it opened mightslots so I then went to casino.dll hit open and that is the file that is queueing, same thing for slotnuts, I have 2 separate virustotals running. Also noticed that what they are running or queuing is the same name, casino.dll not mightyslots...etc. Also noticed that for both the MD5, SHA1 and SHA256 are the same.

Here is a copy of the email I sent to mightyslots support think It might be interesting to hear what they say if not mildly amusing.


Can you tell me why or how this got on my computer -  Win32/CasOnline - from your downloader-
C:\Program Files\Mighty Slots\casino.dll and what you are going to do about it.

Description
Trojan.Win32.CasOnline will secretly install on user’s personal computers without letting them know. Normally they are designed to attach and destroy the data and files on the computer, which results in the improper running of the computer, or failure to access the system. Moreover, once the computer is infected by Trojan.Win32.CasOnline, it is possible for hackers to access it remotely and do whatever as they like, leaving your files, programs, accounts, account and passwords unprotected.

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 29 July 2011 - 10:54 AM

I then went to casino.dll hit open and that is the file that is queueing, same thing for slotnuts, I have 2 separate virustotals running. Also noticed that what they are running or queuing is the same name, casino.dll not mightyslots...etc. Also noticed that for both the MD5, SHA1 and SHA256 are the same.

You did well. Those two casino.dll files are probably the same, used by two different casino games.
Cancel that scan and try to upload just one of those files.
If VirusTotal is still slow, try this site: http://virusscan.jotti.org/en

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 justjeff0331

justjeff0331
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 29 July 2011 - 03:16 PM

The jotti scan found nothing, tried both casino's. Ran the totalscan again for 3 hours of so never got passed the queuing stage. Have to go out and do some work and am going to restart it all by itself and let it run all by itself and see what happens. Got a new thing possibly though, got a pop up saying AVG protected me from several threats,k opened the interface looked in event history, then virus vault and had no record of anything being blocked today. Noticed that my anti spyware and anti-virus was not updated so I ran the updater, it said that I did so successfully and now am fully updated, but still have the big yellow exclamation mark on both of those saying they are outdated and need to be updated did 3 or 4 times, refreshed the interface, closed re-opened the interface still the same.
If you feel one of the other free security programs is better as long as it does not use whole bunch of memory and CPU, old system AMD 1800 w/1gb ram, I have no problem changing as long as it isn’t comodo,have a horror story, 1st and last time I will ever use remote connection for help, one of their “experts” totally I mean completely wiped out everything on both of my hard drives and left me with nothing, when he knew I had bought this machine used and have no OS disk. Real quick always wanted to ask someone is there such a thing as a binary level root infection/virus that no one not even bill gates can remove? That is what he said was wrong. And to start off with I really wasn’t having any problems just seen something strange pop up which ended up in a round about way lead to him.

-update- just as I am ready to leave go to turn off moniter and this time it went through, totalscan and here is the log -

Antivirus Version Last Update Result
AhnLab-V3 2011.07.30.00 2011.07.29 -
AntiVir 7.11.12.167 2011.07.29 -
Antiy-AVL 2.0.3.7 2011.07.29 -
Avast 4.8.1351.0 2011.07.29 -
Avast5 5.0.677.0 2011.07.29 -
AVG 10.0.0.1190 2011.07.29 -
BitDefender 7.2 2011.07.29 -
CAT-QuickHeal 11.00 2011.07.29 -
ClamAV 0.97.0.0 2011.07.29 -
Commtouch 5.3.2.6 2011.07.29 -
Comodo 9557 2011.07.29 -
DrWeb 5.0.2.03300 2011.07.29 -
Emsisoft 5.1.0.8 2011.07.29 -
eSafe 7.0.17.0 2011.07.27 -
eTrust-Vet 36.1.8472 2011.07.29 -
F-Prot 4.6.2.117 2011.07.29 -
F-Secure 9.0.16440.0 2011.07.29 -
Fortinet 4.2.257.0 2011.07.29 -
GData 22 2011.07.29 -
Ikarus T3.1.1.104.0 2011.07.29 -
Jiangmin 13.0.900 2011.07.29 -
K7AntiVirus 9.109.4961 2011.07.29 -
Kaspersky 9.0.0.837 2011.07.29 -
McAfee 5.400.0.1158 2011.07.29 -
McAfee-GW-Edition 2010.1D 2011.07.29 -
Microsoft 1.7104 2011.07.29 -
NOD32 6335 2011.07.29 -
Norman 6.07.10 2011.07.29 -
nProtect 2011-07-29.02 2011.07.29 -
Panda 10.0.3.5 2011.07.29 -
PCTools 8.0.0.5 2011.07.29 -
Prevx 3.0 2011.07.29 -
Rising 23.68.04.03 2011.07.29 -
Sophos 4.67.0 2011.07.29 -
SUPERAntiSpyware 4.40.0.1006 2011.07.29 -
Symantec 20111.1.0.186 2011.07.29 -
TheHacker 6.7.0.1.264 2011.07.28 -
TrendMicro 9.200.0.1012 2011.07.29 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.29 -
VBA32 3.12.16.4 2011.07.29 -
VIPRE 9999 2011.07.29 -
ViRobot 2011.7.29.4595 2011.07.29 -
VirusBuster 14.0.145.2 2011.07.29 -


Additional informationShow all
MD5 : c37acece76953bcdf941e739d7c13057
SHA1 : 41bdb44b702d66f127d1a830e2743482cd61d236
SHA256: 31700acaf1712525a46efa4d6356a269d38b00cb478b64dc0a73afcb1c4fde28
ssdeep: 24576:JjX/xmdijuIhBDmj4ceDkkdlM1qwwkMKb:JTZmbIhBDm9uNBpKb
File size : 1401344 bytes
First seen: 2011-06-30 16:53:13
Last seen : 2011-07-29 20:22:14
TrID:
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Realtime Gaming, Inc
copyright....: Copyright © Realtime Gaming, Inc. 2000
product......: Casino Module
description..: Casino Module
original name: casino.dll
internal name: Casino Module
file version.: 11.0.0.3076
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

Not available.
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 1025024
CompanyName: Realtime Gaming, Inc
EntryPoint: 0x29af
FileDescription: Casino Module
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 1368 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 11.0.0.3076
FileVersionNumber: 11.0.0.3076
ImageVersion: 0.0
InitializedDataSize: 375296
InternalName: Casino Module
LanguageCode: English (U.S.)
LegalCopyright: Copyright Realtime Gaming, Inc. 2000
LinkerVersion: 10.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: casino.dll
PEType: PE32
ProductName: Casino Module
ProductVersion: 11.0.0.3076
ProductVersionNumber: 11.0.0.3076
Subsystem: Windows GUI
SubsystemVersion: 5.1
TimeStamp: 2011:06:23 01:52:48+02:00
UninitializedDataSize: 0
SHA256: 31700acaf1712525a46efa4d6356a269d38b00cb478b64dc0a73afcb1c4fde28

Edited by justjeff0331, 29 July 2011 - 03:30 PM.


#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 29 July 2011 - 03:27 PM

Yeah, I'd suggest, you uninstall AVG using AVG Remover: http://www.avg.com/us-en/utilities and install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan and see if anything comes up.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users