Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Someone Used My E-mail Account To Send Viruses


  • This topic is locked This topic is locked
10 replies to this topic

#1 potatopotatopotato

potatopotatopotato

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 17 November 2006 - 04:40 PM

Ok, when I got home, one of my cousins called saying that I had apparently emailed him a virus. The email said something like, "Potat4o has a new e-mail address" then it linked to a site that gives a virus.

My cousin says that a bunch a text files were made and he tried to delete them all but they would keep multiplying and now his computer is unusable. It also appears as though this same message was emailed to all of my contacts as well. I think this is the virus they get (information) http://www.sarc.com/avcenter/venc/data/vbs.hard.a@mm.html

Now I have no idea how this happened or how anyone got into my account. I never, ever give out my password.

I checked my browser history and I don't think anyone did it from my computer. So I've changed e-mails now. :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 3:35:07 PM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\AAAAAAAAADOWNLOADS GO HERE\stng260.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Documents and Settings\James\Desktop\AAAAAAAAADOWNLOADS GO HERE\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3784B4E-6D98-4B89-8765-B073478EA9AD}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Edited by potatopotatopotato, 17 November 2006 - 05:09 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:40 PM

Posted 17 November 2006 - 10:38 PM

Hello potatopotatopotato,

I am SifuMike and I will be helping you. :thumbsup:

I dont see any malware in your log, only some minor cleanup to do. We shall do that later.

Lets check your computer deeper.

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. :flowers:
Note: This may take several hours to run, all depends on the size of your hard drive.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.



Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
5. Click on "Save Report" to view all completed scans.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware 7.5

When done, submit the AVG Anti-Spyware 7.5 log, the BitDefender log.

Edited by SifuMike, 17 November 2006 - 10:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 potatopotatopotato

potatopotatopotato
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 18 November 2006 - 10:38 AM

OK, here it is! :thumbsup:

BitDefender Online Scanner







Scan report generated at: Fri, Nov 17, 2006 - 22:50:40









Scan path: A:\;C:\;D:\;E:\;F:\;















Statistics

Time


00:45:03

Files


259301

Folders


3757

Boot Sectors


2

Archives


1714

Packed Files


28311







Results

Identified Viruses


3

Infected Files


3

Suspect Files


2

Warnings


0

Disinfected


0

Deleted Files


5







Engines Info

Virus Definitions


316686

Engine build


AVCORE v1.0 (build 2355) (i386) (Sep 25 2006 13:46:24)

Scan plugins


13

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\$VAULT$.AVG\50461718.FIL


Suspected of: Trojan.Zlob.BY

C:\$VAULT$.AVG\50461718.FIL


Disinfection failed

C:\$VAULT$.AVG\50461718.FIL


Deleted

C:\$VAULT$.AVG\50461796.FIL


Suspected of: Trojan.Zlob.BY

C:\$VAULT$.AVG\50461796.FIL


Disinfection failed

C:\$VAULT$.AVG\50461796.FIL


Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil26570904.dat=>(gzip)


Detected with: Adware.Safetybar.B

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil26570904.dat=>(gzip)


Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil26570904.dat=>(gzip)


Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil26570904.dat


Update failed

C:\System Volume Information\_restore{900131C4-7655-4D19-A9EA-0E460150F8B4}\RP100\A0015294.exe


Infected with: Trojan.PWS.Ras.A

C:\System Volume Information\_restore{900131C4-7655-4D19-A9EA-0E460150F8B4}\RP100\A0015294.exe


Disinfection failed

C:\System Volume Information\_restore{900131C4-7655-4D19-A9EA-0E460150F8B4}\RP100\A0015294.exe


Deleted

C:\WINDOWS\system32\__delete_on_reboot__k_h_f_e_b_a_b_._d_l_l_


Infected with: MemScan:Trojan.Virtumod.BL

C:\WINDOWS\system32\__delete_on_reboot__k_h_f_e_b_a_b_._d_l_l_


Disinfection failed

C:\WINDOWS\system32\__delete_on_reboot__k_h_f_e_b_a_b_._d_l_l_


Deleted





















---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:36:17 AM 11/18/2006

+ Scan result:



C:\Program Files\Cain\Abel.dll -> Not-A-Virus.PSWTool.Win32.Cain.284 : No action taken.
C:\Program Files\Cain\Abel.exe -> Not-A-Virus.PSWTool.Win32.Cain.284 : No action taken.
:mozilla.10:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.399:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.24:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.24:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.25:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.26:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.28:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.12:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.13:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.14:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.15:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.16:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.79:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.80:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.81:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.156:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.27:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.47:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.29:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.30:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.31:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.32:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.10:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.11:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.8:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.9:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.171:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.365:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Hotlog : No action taken.
:mozilla.227:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.228:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.229:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.408:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.363:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.364:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.102:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.103:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.128:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.129:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.130:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.131:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.132:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.21:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\d8zd4c6n.default\cookies.txt -> TrackingCookie.Trafic : No action taken.
:mozilla.275:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Trafic : No action taken.
:mozilla.317:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.318:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.320:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.


::Report end

I forgot to make a report for the scan after I cleaned it so I did a second scan

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:24:02 AM 11/18/2006

+ Scan result:



C:\System Volume Information\_restore{900131C4-7655-4D19-A9EA-0E460150F8B4}\RP114\A0019597.dll -> Not-A-Virus.PSWTool.Win32.Cain.284 : Cleaned.
C:\System Volume Information\_restore{900131C4-7655-4D19-A9EA-0E460150F8B4}\RP114\A0019598.exe -> Not-A-Virus.PSWTool.Win32.Cain.284 : Cleaned.
:mozilla.18:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\inu2539q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.


::Report end

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:40 PM

Posted 18 November 2006 - 11:19 AM

Hi potatopotatopotato,

Looks good. :thumbsup: Both of those scans removed some malware.

Let's do one more scan. Adaware will find many of the Keyloggers.

Please download, update and run Adaware SE 1.06.r1

Fix whatever it suggest.

If you need help running these tools, here are some helpful tutorials.
Spybot Tutorial
Adaware SE Tutorial

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/


Ad-Aware SE Setup

Please post the log from your Adaware SE 1.6r1 scan.

The fastest way to get the Adaware SE log is to navigate to your Ad-aware SE folder: C:\Documents and Settings\USER NAME\Application Data\Lavasoft\Ad-Aware\Logs.

Open this folder and find the correct log.
The logs are named "Ad-Aware log##-##-##.txt" (the #'s will be the date of the scan). Highlight all of the text in the logfile with your mouse.
On your keyboard, press Ctrl + C, which will copy the text to your clipboard.
Now be online, logged in and ready to post your logfile.
Press Ctl and V and that will copy your logfile to the post!

Edited by SifuMike, 18 November 2006 - 01:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 potatopotatopotato

potatopotatopotato
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 18 November 2006 - 01:42 PM

Ok, here is my log! :thumbsup:


Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, November 18, 2006 11:58:38 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R133 16.11.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):21 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-18-2006 11:58:38 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\James\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\mediaplayer\preferences
Description : last search path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-299502267-1580436667-682003330-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 220
ThreadCreationTime : 11-18-2006 5:57:26 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 312
ThreadCreationTime : 11-18-2006 5:57:36 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 336
ThreadCreationTime : 11-18-2006 5:57:38 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 380
ThreadCreationTime : 11-18-2006 5:57:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 392
ThreadCreationTime : 11-18-2006 5:57:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 11-18-2006 5:57:44 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 11-18-2006 5:57:45 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 652
ThreadCreationTime : 11-18-2006 5:57:46 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 856
ThreadCreationTime : 11-18-2006 5:57:55 PM
BasePriority : Normal
FileVersion : 6.00.2900.2649 (xpsp.050406-1732)
ProductVersion : 6.00.2900.2649
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1000
ThreadCreationTime : 11-18-2006 5:58:17 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : S-1-5-21-299502267-1580436667-682003330-1003\Software\Microsoft\Internet Explorer\MainStart Pagerunonce.msn.com

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 21




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21

12:06:03 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:07:25.125
Objects scanned:106509
Objects identified:0
Objects ignored:0
New critical objects:0

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:40 PM

Posted 18 November 2006 - 02:06 PM

Hi potatopotatopotato,

Looks like you are clean. :thumbsup: How is your computer running?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 potatopotatopotato

potatopotatopotato
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 18 November 2006 - 02:14 PM

Thanks, my computer is running very smoothly thanks to you! :thumbsup:

oh, there was another thing that I forgot to mention, my anti-virus (NOD32) found something while I was scanning with the Bit-Defender. I just thought I should let you know.

11/18/2006 6:56:21 AM AMON file C:\DOCUME~1\James\LOCALS~1\Temp\tmp1 a variant of Win32/TrojanDownloader.ConHook trojan quarantined - deleted Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine.


thanks again for your help
:flowers: :huh:

Edited by potatopotatopotato, 18 November 2006 - 02:16 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:40 PM

Posted 18 November 2006 - 02:21 PM

Hi potatopotatopotato,

That file was from firefox and in your temp folder. We will clean the temp files. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!


Lets clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.



Please read and follow
How did I get infected?, With steps so it does not happen again!

Edited by SifuMike, 18 November 2006 - 02:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 potatopotatopotato

potatopotatopotato
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 18 November 2006 - 03:02 PM

OK, I did the cleaning with CCleaner, and my PC is running nicely. :thumbsup:

Edited by potatopotatopotato, 18 November 2006 - 03:02 PM.


#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:40 PM

Posted 18 November 2006 - 03:20 PM

Thats what I love to hear. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:40 PM

Posted 20 November 2006 - 12:34 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users