Re: HJT Log - Can't clean computer, please help

Author	All Replies
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	reply to Toco83 Re: HJT Log - Can't clean computer, please help You have a LOT more problems than spyware. Your system has been compromised by a backdoor trojan and an information/password stealing trojan, among other assorted nasties. Here is a desciption of the worst of the lot I see there: A variant of this very dangerous trojan: Infostealer.Banker.D »www.symantec.com/enterprise/secu···&tabid=1 as evidenced by this entry: O2 - BHO: H - {875DFA42-0F20-449b-B8AE-4795E5A30B98} - rtreywem.dll (file missing) W32/Vanebot-AX Worm »www.sophos.com/security/analyses···tax.html as evidenced by this entry: O23 - Service: Microsoft Media - Unknown owner - C:\WINDOWS\System32\dllcache\Rtsecar.exe An intruder has complete control over your machine and I see some files running that indicate more than one! I won't recommend cleaning this machine unless you have NO use for trusting it in the future. A reformat/reinstall of the operating system is really the only safe recommendation I can make. First thing, get this computer off the internet and off of any networks. If you need to access the internet, even to visit this topic here, use a known clean computer. However, your stolen information and the presence of an intruder, the damaqe is already done and no telling what else may have been compromised at this point. What is a backdoor or remote access trojan? Read this article. Danger: Remote Access Trojans »www.microsoft.com/technet/securi···rat.mspx Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, acceess this information from a non-compromised computer to follow the steps needed. When should I re-format? How should I reinstall? »Security »When should I re-format? How should I reinstall? With that Infostealer.Banker.D trojan, there is a good chance stolen info from your machine that may result in not only identify theft but bank theft and more. How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? »Security »How to report ID theft, fraud, drive-by installs, hijacking and malware? -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2007 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2007-08-08 14:22:39 ·
Toco83 @btcentralplus.com	Holy crap. Thanks for telling me that! I've followed those links and I've already cancelled my credit card, is there anything else I should do? This means they have every password, right? So should I never use the computer again? I already reinstalled Windows from the discs when the problems first started because nothing was working, so should I do it again? And how the heck did this happen?! Thanks for the help.
	to forum · permalink · 2007-08-08 15:39:13 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	Yes, Holy Carp is right! I rather got the shivers looking at your log because I saw many more in there but highlighted the most serious 2 that I saw. The variant of infostealing trojan you had -I can't be specific about without examining the file itself, but it is of that flavor and if this were my PC, yes, I would treat it as if every password were stolen and change them ALL. I would also be changing accounts and passwords for everything. Then you had a remote access trojan (meaning anyone in there could do anything and you would not know it and they don't leave traces of what was done), including changing settings in the Windows registry, installing hidden programs and files (in order to get back in if need be). Those are generally the most malicious types of infections you can have on a PC. Often times a compromised PC like that one is used to send spam and attack other computers which could also jeopardize your service with your ISP. Did you reformat or just install over the top from the recovery disc's? A reformat/reinstall would normally wipe everything from the hard-drive and give you a fresh start as outlined in the that one link I gave you: »Security »When should I re-format? How should I reinstall? That FAQ covers a lot more than I can enumerate here. These days a reinstall can be any number of different methods depending on the manufacturer's instructions. I would check with them, or even hire a professional local shop to do it for you it this intimates you (it does me - I don't do it often enough on a lot of different systems to advise on how to reformat/reinstall), I can only tell you the circumstances and the type of malware on there I DO see that I would make that recommendation. I wouldn't trust the PC and I would take all precautions for protecting any info you have on there as it could very well be in the hands of someone trying to cash in on that. -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2007 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2007-08-08 19:21:29 ·
Toco83 @btcentralplus.com	There wasn't anything on the computer itself besides essays and stuff, but I did use it for banking and online shopping so I've changed all of my passwords and cancelled my credit card. Is there anything else I should've done? I'm not sure what type of install I did. I think it wiped my hard drive clean, because none of my old stuff is on there and the laptop basically started from scratch like when I first got it. I did that because the computer wouldn't start up - in fact, it took me a couple of tries to get it to even install from the CDs without turning itself off. Then when I did get it re-installed it had all of the alerts and weird messages that I mentioned. I haven't used the laptop for anything since it went crazy, apart from downloading all of the anti-spyware stuff. I've been using this clean computer instead for checking emails and so on, and posting here. But they could've gotten information from it before it started acting up, right? What I don't understand is how this happened. One night my laptop was fine, the next morning it wouldn't start, and then all this! How did I get the Trojan? I didn't get any weird emails or anything, and if I had I wouldn't have opened them. Sorry if I'm being really naive, but I don't get how this happened. Does that mean someone had control of my computer before it went screwy? Any further advice/help anyone could give me would be reallly appreciated.
	to forum · permalink · 2007-08-09 04:13:01 ·
Toco83 @btcentralplus.com	I used the System Recovery CD and did a complete reformat. Here's my second Hijack This log: Logfile of HijackThis v1.99.1 Scan saved at 11:35:32, on 09/08/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\slserv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\James\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.pcservicecall.co.uk/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.pcservicecall.co.uk/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe Is it still there?
	to forum · permalink · 2007-08-09 06:38:48 ·
Toco83 @btcentralplus.com	Sorry for posting again, but now the 'clean' computer I was using is starting to act up. Here's an HJT log from the computer I'm using right now: Logfile of HijackThis v1.99.1 Scan saved at 11:50:37, on 09/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\SpywareDetector\SDService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\SpywareDetector\SDSystemTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\SYSTEM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »login.passport.net/uilogin.srf?lc=2057&id=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···m/info/b t_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 205\Help\bin\matcli.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - »tools.ebayimg.com/eps/wl/activex···3-18.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{EE102696-0668-4BAB-B8AC-4D531F0DE632}: NameServer = 194.72.9.38 194.74.65.68 O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE Please can anyone help??
	to forum · permalink · 2007-08-09 06:53:01 ·


Thursday, 10-Dec 22:15:51	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF