Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware/adware Infection Log


  • Please log in to reply
6 replies to this topic

#1 BigJ

BigJ

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 30 May 2006 - 05:57 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:53:41 PM, on 5/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\WINDOWS\System32\39bd2aaf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
c:\anp.exe
C:\WINDOWS\System32\intell321.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\201.exe
c:\awuakqbw.exe
c:\Program Files\ryads.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [d9d27df9.exe] C:\WINDOWS\System32\d9d27df9.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [39bd2aaf.exe] C:\WINDOWS\System32\39bd2aaf.exe
O4 - HKLM\..\Run: [win32hp] C:\WINDOWS\System32\win32hlp.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [SysTray] c:\Program Files\ryads.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [d9d27df9.exe] C:\Documents and Settings\Jake\Local Settings\Application Data\d9d27df9.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [39bd2aaf.exe] C:\Documents and Settings\Jake\Local Settings\Application Data\39bd2aaf.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{06DB4613-4187-4966-B1C3-B9394357C635}: NameServer = 85.255.115.109,85.255.112.141
O17 - HKLM\System\CS1\Services\Tcpip\..\{06DB4613-4187-4966-B1C3-B9394357C635}: NameServer = 85.255.115.109,85.255.112.141
O17 - HKLM\System\CS2\Services\Tcpip\..\{06DB4613-4187-4966-B1C3-B9394357C635}: NameServer = 85.255.115.109,85.255.112.141
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_21.dll
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:57 PM

Posted 31 May 2006 - 10:16 PM

Hello BigJ,

Welcome to Bleeping Computer. :thumbsup:

I'm afraid I don't have any good news for you. :flowers: Your computer is nearly hopelessly infected. You're running and unpatched version of XP, with no service packs, no Anti Virus or Firewall, and you have a particularly nasty Trojan that has backdoor capability and steals passwords and other information from you. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, Your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so.

If you really want to try and clean this up, know that it will not be easy at all. Please let me know what you decide.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 BigJ

BigJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 04 June 2006 - 12:08 PM

Aww.. :thumbsup: That's bad news. But thats ok. Thanks for the reply. I didn't realize it was that bad but I guess I will go with the reformat and I would like to do that ASAP with all things considering. I am able to reformat it myself but I would like to back up some files. The problem is I dont know how to back up files. I guess all I can do is try to protect myself better next time. I will be getting some anti-virus software and firewall. This is the last straw I should have done this years ago. Could you tell me how to back up files? And you're positive a regular reformat or what I know as a reformat will take care of it? I have a Dell Dimension and have had to reformat it a number of times I have the steps written down but basically but using the Windows Reinstallation CD and following a number of steps will ensure that this virus will not still be on my computer?

Thanks again for the reply and I look forward to hearing from you again before I do anything.

BigJ

#4 BigJ

BigJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 04 June 2006 - 12:19 PM

Sorry for another reply it wouldn't allow me to EDIT. But I was wondering if I attach a file to my email and download it on another computer will it transfer that trojan or anything else?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:57 PM

Posted 04 June 2006 - 08:10 PM

Hello,

I am so sorry! Thank you for sending the PM. I have no idea how that got missed, and I feel awful. :thumbsup:

I think the best thing you could do would be to save your important files to either floppy, or burn them to a CD. Then, after the reformat, BEFORE you do anything else, install an AV and Firewall. You can then scan the files to make sure they're safe. There are some excellent FREE ones, and I'll give you the links to those. I use Avast! and it's great. It's free, light on resources, and listed in the top 10. Not bad for free!

AVG, Avira OR Avast are good FREE antivirus. Some good free firewalls are ZoneAlarm, or Outpost
A tutorial on understanding and using firewalls may be found here.
Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.


Hope this helps.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 BigJ

BigJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 05 June 2006 - 04:28 PM

Wow! So much useful information. Well my computer is reformatted and running good. I am download AVast and Firefox as I type this. I just want to take a minute and say THANK YOU SO MUCH!! You have been so helpful to me and many others. I hope you realize what a good thing you and others are doing here. This has made my week. I use my computer for EVERYTHING. And I dont know about other people but when my computer is messed up, it throws off everything I do. Once again, Thank you so much! :thumbsup: :flowers:

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:57 PM

Posted 05 June 2006 - 07:34 PM

You're most welcome! :thumbsup: A little secret? The reason I do this is because I was in your situation once. :flowers:

Take care, and surf safe!

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users