Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hotmail and possible infection question?


  • Please log in to reply
6 replies to this topic

#1 Lishy

Lishy

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 01 March 2012 - 03:58 PM

Hey guys. Just a general question more than anything.

Usually when I get a phishing email, in Hotmail I usually right click it, view message source just incase to confirm the legitimacy of the email, then block the sender. However, according to cryptodan on IRC, I can be infected without even opening the email. Is this true?

I recently got in my junk mail folder an email "Paypal Account-Notice". It was apparently from service@paypal.co.

I did not open the email. But according to cryptodan, because of how hotmail works, I can be infected by doing view message source, or merely accessing my Junk Mail folder? Is that really true?

Where is LISHYEMAILADDRESS@hotmail.com is my email. Anyways, here's the source of the message:
x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; sender-id=temperror (sender IP is 61.108.11.132) header.from=service@paypal.co; dkim=none header.d=paypal.co; x-hmca=none
X-Message-Status: n:0:n
X-SID-PRA: PayPal <service@paypal.co>
X-DKIM-Result: None
X-AUTH-Result: NONE
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD00
X-Message-Info: 11chDOWqoTlqQgbOVr0ULGnHSUBRQ4wUHE9nADTztBY6qtaLxACqsJfuIqD64l9FuwaLRuKyRouPZzkq/knovHFArdRdXhuGI8OISvAHc6QpUqMNMXpXVUHeio90pFHO
Received: from china-317114b26.com ([61.108.11.132]) by BAY0-MC1-F37.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Thu, 1 Mar 2012 11:19:26 -0800
Received: from ibeov (unknown [160.104.112.24])
	by china-317114b26.com (Postfix) with ESMTP id 277665278A1
	for <LISHYEMAILADDRESS@hotmail.com>; Thu, 1 Mar 2012 19:19:32 -0000
Date: Fri, 2 Mar 2012 03:19:32 +0800
From: "PayPal" <service@paypal.co>
To: "LISHYEMAILADDRESS" <LISHYEMAILADDRESS@hotmail.com>
Reply-To: <service@paypal.co>
Subject: =?GB2312?B?UGF5UGFsIEFjY291bnQtTm90aWNl?=
X-Mailer: Foxmail 5.0 [cn]
Mime-Version: 1.0
Content-Type: text/html;
	charset="GB2312"
Content-Transfer-Encoding: base64
Content-Disposition: inline
Message-Id: <20120301191932.277665278A1@china-317114b26.com>
Return-Path: service@paypal.co
X-OriginalArrivalTime: 01 Mar 2012 19:19:27.0524 (UTC) FILETIME=[383E3E40:01CCF7E0]

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxNRVRBIGNvbnRlbnQ9Ik1TSFRNTCA2LjAw
LjI5MDAuNjE2OSIgbmFtZT1HRU5FUkFUT1I+PC9IRUFEPg0KPEJPRFk+PFNQQU4gY2xhc3M9QXBw
bGUtc3R5bGUtc3BhbiANCnN0eWxlPSJXT1JELVNQQUNJTkc6IDBweDsgRk9OVDogbWVkaXVtLzIw
cHggU2ltc3VuOyBURVhULVRSQU5TRk9STTogbm9uZTsgQ09MT1I6IHJnYigwLDAsMCk7IFRFWFQt
SU5ERU5UOiAwcHg7IFdISVRFLVNQQUNFOiBub3JtYWw7IExFVFRFUi1TUEFDSU5HOiBub3JtYWw7
IEJPUkRFUi1DT0xMQVBTRTogc2VwYXJhdGU7IG9ycGhhbnM6IDI7IHdpZG93czogMjsgd2Via2l0
LWJvcmRlci1ob3Jpem9udGFsLXNwYWNpbmc6IDBweDsgd2Via2l0LWJvcmRlci12ZXJ0aWNhbC1z
cGFjaW5nOiAwcHg7IHdlYmtpdC10ZXh0LWRlY29yYXRpb25zLWluLWVmZmVjdDogbm9uZTsgd2Vi
a2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87IHdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4
Ij48U1BBTiANCmNsYXNzPUFwcGxlLXN0eWxlLXNwYW4gDQpzdHlsZT0iRk9OVC1TSVpFOiAxM3B4
OyBDT0xPUjogcmdiKDQyLDQyLDQyKTsgTElORS1IRUlHSFQ6IG5vcm1hbDsgRk9OVC1GQU1JTFk6
IFRhaG9tYSwgVmVyZGFuYSwgQXJpYWwsIHNhbnMtc2VyaWYiPjxTUEFOIA0KY2xhc3M9QXBwbGUt
c3R5bGUtc3BhbiANCnN0eWxlPSJXT1JELVNQQUNJTkc6IDBweDsgRk9OVDogbWVkaXVtLzIwcHgg
U2ltc3VuOyBURVhULVRSQU5TRk9STTogbm9uZTsgQ09MT1I6IHJnYigwLDAsMCk7IFRFWFQtSU5E
RU5UOiAwcHg7IFdISVRFLVNQQUNFOiBub3JtYWw7IExFVFRFUi1TUEFDSU5HOiBub3JtYWw7IEJP
UkRFUi1DT0xMQVBTRTogc2VwYXJhdGU7IG9ycGhhbnM6IDI7IHdpZG93czogMjsgd2Via2l0LWJv
cmRlci1ob3Jpem9udGFsLXNwYWNpbmc6IDBweDsgd2Via2l0LWJvcmRlci12ZXJ0aWNhbC1zcGFj
aW5nOiAwcHg7IHdlYmtpdC10ZXh0LWRlY29yYXRpb25zLWluLWVmZmVjdDogbm9uZTsgd2Via2l0
LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87IHdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4Ij48
U1BBTiANCmNsYXNzPUFwcGxlLXN0eWxlLXNwYW4gDQpzdHlsZT0iRk9OVC1TSVpFOiAxM3B4OyBD
T0xPUjogcmdiKDQyLDQyLDQyKTsgTElORS1IRUlHSFQ6IG5vcm1hbDsgRk9OVC1GQU1JTFk6IFRh
aG9tYSwgVmVyZGFuYSwgQXJpYWwsIHNhbnMtc2VyaWYiPg0KPFAgc3R5bGU9Ik1BUkdJTjogMHB4
IDBweCAxLjM1ZW07IExJTkUtSEVJR0hUOiAxN3B4Ij5HcmVldGluZ3MhPEJSIA0Kc3R5bGU9IkxJ
TkUtSEVJR0hUOiAxN3B4Ij4mbmJzcDs8QlIgc3R5bGU9IkxJTkUtSEVJR0hUOiAxN3B4Ij5JdCBo
YXMgY29tZSB0byBvdXIgDQphdHRlbnRpb24gdGhhdCB5b3UgYXJlIHRyeWluZyB0byBzZWxsIHlv
dXIgcGVyc29uYWwmbmJzcDtQYXlQYWwgYWNjb3VudChzKS48QlIgDQpzdHlsZT0iTElORS1IRUlH
SFQ6IDE3cHgiPkFzIHlvdSBtYXkgbm90IGJlIGF3YXJlIG9mLCB0aGlzIGNvbmZsaWN0cyB3aXRo
IHRoZSANCkVVTEEgYW5kIFRlcm1zIG9mIEFncmVlbWVudC48QlIgc3R5bGU9IkxJTkUtSEVJR0hU
OiAxN3B4Ij5JZiB0aGlzIHByb3ZlcyB0byBiZSANCnRydWUsIHlvdXIgYWNjb3VudCBjYW4gYW5k
IHdpbGwgYmUgZGlzYWJsZWQuPFNQQU4gDQpjbGFzcz1BcHBsZS1jb252ZXJ0ZWQtc3BhY2U+Jm5i
c3A7PC9TUEFOPjxCUiBzdHlsZT0iTElORS1IRUlHSFQ6IDE3cHgiPkl0IHdpbGwgDQpiZSBvbmdv
aW5nIGZvciBmdXJ0aGVyIGludmVzdGlnYXRpb24gYnkgUGF5UGFsJ3MgZW1wbG95ZWVzLjxCUiAN
CnN0eWxlPSJMSU5FLUhFSUdIVDogMTdweCI+SWYgeW91IHdpc2ggdG8gbm90IGdldCB5b3VyIGFj
Y291bnQgc3VzcGVuZGVkIHlvdSANCnNob3VsZCBpbW1lZGlhdGVseSB2ZXJpZnkgeW91ciBhY2Nv
dW50IG93bmVyc2hpcC48U1BBTiANCmNsYXNzPUFwcGxlLWNvbnZlcnRlZC1zcGFjZT4mbmJzcDs8
L1NQQU4+PEJSIHN0eWxlPSJMSU5FLUhFSUdIVDogMTdweCI+Jm5ic3A7PEJSIA0Kc3R5bGU9IkxJ
TkUtSEVJR0hUOiAxN3B4Ij5Zb3UgY2FuIGNvbmZpcm0gdGhhdCB5b3UgYXJlIHRoZSBvcmlnaW5h
bCBvd25lciBvZiB0aGUgDQphY2NvdW50IHRvIHRoaXMgc2VjdXJlIHdlYnNpdGUgd2l0aDo8QlIg
c3R5bGU9IkxJTkUtSEVJR0hUOiAxN3B4Ij48QSANCnN0eWxlPSJDVVJTT1I6IHBvaW50ZXI7IENP
TE9SOiByZ2IoMCwxMDQsMjA3KTsgTElORS1IRUlHSFQ6IDE3cHg7IFRFWFQtREVDT1JBVElPTjog
dW5kZXJsaW5lIiANCmhyZWY9Imh0dHA6Ly93d3cucGF5cGFsLmNvbS5ucmxvZ2luLmNvbS8/Y2dp
LWJpbl93ZWJzY3JjbWQ9X2hvbWUtbWVyY2hhbnRfYWNjb3VudCZuYXY9MiIgDQp0YXJnZXQ9X2Js
YW5rPmh0dHBzOi8vd3d3LnBheXBhbC5jb20vP2NnaS1iaW5fd2Vic2NyY21kPV9ob21lLW1lcmNo
YW50X2FjY291bnQmbmF2PTI8L0E+PEJSIA0Kc3R5bGU9IkxJTkUtSEVJR0hUOiAxN3B4Ij4mbmJz
cDs8QlIgc3R5bGU9IkxJTkUtSEVJR0hUOiAxN3B4Ij5Mb2dpbiB0byB5b3VyIA0KYWNjb3VudCwg
SW4gYWNjb3JkYW5jZSBmb2xsb3dpbmcgdGVtcGxhdGUgdG8gdmVyaWZ5IHlvdXIgYWNjb3VudC48
QlIgDQpzdHlsZT0iTElORS1IRUlHSFQ6IDE3cHgiPiZuYnNwOzxCUiBzdHlsZT0iTElORS1IRUlH
SFQ6IDE3cHgiPklmIHlvdSBpZ25vcmUgdGhpcyANCm1haWwgeW91ciBhY2NvdW50IGNhbiBhbmQg
d2lsbCBiZSBjbG9zZWQgcGVybWFuZW50bHkuPC9QPg0KPFAgc3R5bGU9Ik1BUkdJTjogMHB4IDBw
eCAxLjM1ZW07IExJTkUtSEVJR0hUOiAxN3B4Ij5PbmNlIHdlIHZlcmlmeSB5b3VyIA0KYWNjb3Vu
dCwgd2Ugd2lsbCByZXBseSB0byB5b3VyIGUtbWFpbCBpbmZvcm1pbmcgeW91IHRoYXQgd2UgaGF2
ZSBkcm9wcGVkIHRoZSANCmludmVzdGlnYXRpb24uPEJSIHN0eWxlPSJMSU5FLUhFSUdIVDogMTdw
eCI+Jm5ic3A7PEJSIA0Kc3R5bGU9IkxJTkUtSEVJR0hUOiAxN3B4Ij5SZWdhcmRzLDxCUiBzdHls
ZT0iTElORS1IRUlHSFQ6IDE3cHgiPiZuYnNwOzxCUiANCnN0eWxlPSJMSU5FLUhFSUdIVDogMTdw
eCI+QWNjb3VudCBBZG1pbmlzdHJhdGlvbiBUZWFtPEJSIA0Kc3R5bGU9IkxJTkUtSEVJR0hUOiAx
N3B4Ij48QSANCnN0eWxlPSJDVVJTT1I6IHBvaW50ZXI7IENPTE9SOiByZ2IoMCwxMDQsMjA3KTsg
TElORS1IRUlHSFQ6IDE3cHg7IFRFWFQtREVDT1JBVElPTjogdW5kZXJsaW5lIiANCmhyZWY9Imh0
dHA6Ly93d3cucGF5cGFsLmNvbS9zdXBwb3J0LyIgDQp0YXJnZXQ9X2JsYW5rPmh0dHA6Ly93d3cu
cGF5cGFsLmNvbS9zdXBwb3J0LzwvQT48QlIgDQpzdHlsZT0iTElORS1IRUlHSFQ6IDE3cHgiPlBh
eVBhbCZuYnNwOzIwMTI8L1A+PC9TUEFOPjwvU1BBTj48L1NQQU4+PC9TUEFOPjwvQk9EWT48L0hU
TUw+


Could I have been infected just by doing what I've done? I do however use NoScript and Adblock+ with the newest version of Firefox, but I don't think that makes a difference, does it?

Edited by Lishy, 01 March 2012 - 04:02 PM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:03 PM

Posted 01 March 2012 - 04:01 PM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Please download and run Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Malwarebytes Anti-Malware

NOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are unchecked (leave all others checked):
    • Ignore files larger then 4mb
    • Ignore non-executable files

    Now Perform the scan with SUPERAntiSpyware as follows:
    • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes" and reboot normally.
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

SAS Portable
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


All scans above should be performed in regular boot mode, and if that is not possible then I will post instructions in a follow up reply on how to get into Safe Mode to perform the scans. Also all scans should be COMPLETE and not quick unless specifically instructed to do so.

#3 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 01 March 2012 - 06:39 PM

Checkup
Results of screen317's Security Check version 0.99.31  
 Windows 7  x64 (UAC is enabled)  
 Internet Explorer 9  
[b]`````````````````````````````` 
[u]Antivirus/Firewall Check:[/u][/b] 
 Windows Firewall Enabled!  
 avast! Internet Security    
 [size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size] 
[b]``````````````````````````````` 
[u]Anti-malware/Other Utilities Check:[/u][/b] 
 MVPS Hosts File  
 Spybot - Search & Destroy 
 Java(TM) 6 Update 31  
  Adobe Flash Player 	10.0.32.18 [b][color=red]Flash Player out of Date![/color][/b]  
 Mozilla Firefox (10.0.2) 
[b]```````````````````````````````` 
Process Check:  
[u]objlist.exe by Laurent[/u][/b] 
 Malwarebytes' Anti-Malware mbam.exe  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast afwServ.exe  
 AVAST Software Avast AvastUI.exe  
[b]``````````End of Log````````````[/b] 

MBAM
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.15.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Lishy :: LISHY-PC [administrator]

3/1/2012 3:44:39 PM
mbam-log-2012-03-01 (15-44-39).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 435827
Time elapsed: 59 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

SUPERAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/01/2012 at 06:03 PM

Application Version : 5.0.1144

Core Rules Database Version : 8295
Trace Rules Database Version: 6107

Scan type       : Complete Scan
Total Scan Time : 00:46:40

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 602
Memory threats detected   : 0
Registry items scanned    : 68564
Registry threats detected : 0
File items scanned        : 95578
File threats detected     : 15

Adware.Tracking Cookie
	C:\Users\Lishy\AppData\Roaming\Microsoft\Windows\Cookies\lishy@adtech[1].txt [ /adtech ]
	C:\Users\Lishy\AppData\Roaming\Microsoft\Windows\Cookies\lishy@atdmt[1].txt [ /atdmt ]
	C:\Users\Lishy\AppData\Roaming\Microsoft\Windows\Cookies\lishy@c.atdmt[2].txt [ /c.atdmt ]
	C:\Users\Lishy\AppData\Roaming\Microsoft\Windows\Cookies\lishy@microsoftwllivemkt.112.2o7[1].txt [ /microsoftwllivemkt.112.2o7 ]
	C:\Users\Lishy\AppData\Roaming\Microsoft\Windows\Cookies\lishy@microsoftxbox.112.2o7[1].txt [ /microsoftxbox.112.2o7 ]
	C:\USERS\LISHY\AppData\Roaming\Microsoft\Windows\Cookies\Low\lishy@google[6].txt [ Cookie:lishy@google.com/ads/preferences ]
	C:\USERS\LISHY\AppData\Roaming\Microsoft\Windows\Cookies\Low\lishy@google[4].txt [ Cookie:lishy@google.com/settings/ads/onweb ]
	C:\USERS\LISHY\AppData\Roaming\Microsoft\Windows\Cookies\Low\lishy@statse.webtrendslive[1].txt [ Cookie:lishy@statse.webtrendslive.com/ ]
	C:\USERS\LISHY\AppData\Roaming\Microsoft\Windows\Cookies\Low\lishy@www.google[2].txt [ Cookie:lishy@www.google.com/adsense/support ]
	C:\USERS\LISHY\AppData\Roaming\Microsoft\Windows\Cookies\Low\lishy@c.atdmt[2].txt [ Cookie:lishy@c.atdmt.com/ ]
	C:\USERS\LISHY\Cookies\lishy@adtech[1].txt [ Cookie:lishy@adtech.de/ ]
	C:\USERS\LISHY\Cookies\lishy@microsoftwllivemkt.112.2o7[1].txt [ Cookie:lishy@microsoftwllivemkt.112.2o7.net/ ]
	C:\USERS\LISHY\Cookies\lishy@c.atdmt[2].txt [ Cookie:lishy@c.atdmt.com/ ]
	media.mtvnservices.com [ C:\USERS\LISHY\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\BQX6N422 ]
	secure-us.imrworldwide.com [ C:\USERS\LISHY\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\BQX6N422 ]

And GMER
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-01 18:33:45
Windows 6.1.7601 Service Pack 1 
Running: h0fitxtn.exe


---- Registry - GMER 1.0.15 ----

Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e                      
Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485d6021838a                      
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet)  
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485d6021838a (not active ControlSet)  

---- EOF - GMER 1.0.15 ----

Currently I'm scanning with Avast.

edit: Avast detects nothing. So am I infected or what? O_o

Edited by Lishy, 01 March 2012 - 07:52 PM.


#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:03 PM

Posted 02 March 2012 - 12:47 AM

Your logs look clean and I see no malware.

#5 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 02 March 2012 - 02:29 AM

Thanks!

But what might be causing these issues then?

http://www.bleepingcomputer.com/forums/topic443919.html


Also, a new symptom on this new laptop: Sometimes windows sounds don't play. Like the sound when you adjust the volume bar, or the click when you access a directory. Sometimes it won't play at all and I must reset to get it back! WTF!?

My audio drivers are up to date!

#6 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 02 March 2012 - 01:39 PM

hey, I had to do a system restore for various reasons, so I re-scanned, and now it says I had 34 threads, with some quarantined instead of removed. How does it look?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/02/2012 at 01:31 PM

Application Version : 5.0.1144

Core Rules Database Version : 8295
Trace Rules Database Version: 6107

Scan type       : Complete Scan
Total Scan Time : 05:00:43

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 580
Memory threats detected   : 0
Registry items scanned    : 68562
Registry threats detected : 0
File items scanned        : 289855
File threats detected     : 34

Adware.Tracking Cookie
	C:\USERS\LISHY\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\LISHY@ATDMT[1].TXT [ /ATDMT ]
	statse.webtrendslive.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.imrworldwide.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.imrworldwide.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.youtube.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.youtube.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.liveperson.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.liveperson.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	sales.liveperson.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.mediafire.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	uk.sitestat.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	uk.sitestat.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.paypal.112.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.tripod.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.liveperson.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	server.iad.liveperson.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	s08.flagcounter.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	media3.fc2.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	media3.fc2.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.wareznet.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	uk.sitestat.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.xiti.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.youtube.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.youtube.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.youtube.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.mtvn.112.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.google.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.google.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]


#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:03 PM

Posted 02 March 2012 - 02:31 PM

Looks fine to me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users