how-to block ads
|
-
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to goblinxxx
Re: hjt log for joker
quote:
my computer has a number paul f074 etc can this number be changed as the hacker will have this number.
I don't understand what you mean this number is. If you have a software firewall installed,
quote:
ive copied maleware bytes and spybot to cd and mcafee but what i cant workout is when i load the cd back up how do i put macafee back onto my desktop or system tray so i can just click on it and it will start scanning?
After you reinstall Windows, simply insert the CD and copy the install file for those two programs (that you wrote to the CD) to the Desktop, and double-click on them to start the installer. After they are installed, it will be safe to go back online and update everything.
--
Proud ASAP member since 2005 | |
goblinxxx
join:2009-06-15
| reply to TheJoker
just a couple more joker my computer has a number paul f074 etc can this number be changed as the hacker will have this number.
ive copied maleware bytes and spybot to cd and mcafee but what i cant workout is when i load the cd back up how do i put macafee back onto my desktop or system tray so i can just click on it and it will start scanning? i need to do this dont i as you said i shouldnt go back online before these components are reinstalled after the reinstallation of the operating system,if this cant be done i will have to go online wont i to do this? once again many many thanks for your help joker. | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to goblinxxx
quote:
1)what does it mean when you say my system is being used for a relay site for porn?
If someone is uploading porn to your system, it's probably to make it available for others to download. The same thing is sometimes done with Pirated software, where it's uploaded to an unsuspecting infected user, and it's there for others to download using your bandwidth to do it instead of theirs.
quote:
is it possible to trace who is doing this?
Not really.
quote:
2)im pretty sure that i have had this trojan for quiet some time now, and have you any idea why my security mcafee hasnt managed to find it, is there any security out there that can stop things like this?
No security software will progect you from everything, and many security suites are compromises, and often larger than need be because they try to provide every function possible, often simply to compete with another company's feature. I would recommend a good antivirus program, a good software firewall, and a good anti-malware program.
quote:
4)i have some poker sites on my computer such as pokerstars fulltilt,as i play poker for a living, is it possible that these are infected and if i delete them, then download them again could they be infected after i have restored the operating system?
PartyPoker was always listed as a possible threat, although I don't know the specific reason. The best advice I could give would be to refer you to this older post at SWI:
»www.spywareinfoforum.com/index.p···ic=78252
quote:
5)i have something called face on body also, i clicked on the properties of this and it said it was an .exe file could this be infected as i dont want to delete then download it again if theres any chance that this could be infected.
I found these:
I'm not familiar with either, but a quick search didn't find anything that stuck out. Neither one, however, had a privacy statement on their web site that I noticed, and I would be concerned about that.
quote:
6)is it possible that websites i visit such as youtube, facebook, and my email could be compromised? what should i do about this would it be better for me to just set up new accounts with these?
Your accounts there are likely fine, just change your passwords from a clean, uninfected system. Social networking sites, however, are highly targets by criminals that want to infect your system, and they should never be placed in the Trusted Zone. Infected graphics is often a problem at those sites, where a graphic or video won't display, and you get a message that you need to download a new CODEC to view it, and that's often what infects you.
quote:
7)is it possible that some jpeg pictures i have saved to disc are carrying the virut trojan? should i just delete these discs?
You would probably be more likely to find infected video/audio files, but a jpeg can be infected. I would not reinstall any files without scanning the discs throuroughly.
quote:
8)i have had to reinstall the operating system 2 or 3 times before because of this and each time the virut or the hacker keep coming back what would you recommend is the best course of action to stop this permanantly?
Install a good, up-to-date virus scaner and a good firewall, and not reinstall anything without scanning it carefully. Since this has happened before, I would take the time sys sytematically scan all your discs if you can, as you may have something that is infected on them. Include your flash/USB drives. They are a common source of infection, and you should have autoplay/autorun turned off. You can do that with MS PowerTools, and Panda has utilities for that:
»research.pandasecurity.com/archi···ine.aspx
Also, be careful where you surf. If you surf risky sites, you are more likely to get infected. Pirated software sites can infect you without even having downloaded anything. P2P software is a problem, because while the program itself may be clean, the networks themselves are often riddled with malware.
quote:
9)i asked before about changing my ip adress i have a router supplied by my isp who is british telecom, i really need to know how and what would be the best way to change my ip address because once a hacker has my ip address can he not keep trying to hack into my computer from this and therefore if it is changed they wont be able to do this anymore?
A properly configured NAT router itself should reject any communications attempts that did not originate from your system. With that, and a good software firewall and antivirus, that will provide a good deal of protection. I would also recommend a good anti-malware program like Malwarebytes' Anti-Malware. In your case with previous infections, I would recommend the paid version for real-time protection. For an antivirus program, If you were looking for a free program, I'd recommend Avira AntiVir PersonalEdition Classic available at http://www.free-av.com. Kaspersky is also excellent, but it not free. Both are excellent scanners. Two excellent free firewalls are Outpost Firewall Free or Online Armor Free. Either one would be a good choice. There is a tutorial on understanding firewalls at »www.bleepingcomputer.com/forums/···l60.html and a tutorial for Outpost Free at »www.outpostfirewall.com/forum/sh···st179658. I would also recommend SpywareBlaster, and a good HOSTS file like MVPS HOSTS File.
quote:
10)is it possible that with my system being infected i have passed this virus onto someone else through an application such as skype or facebook
I doubt it, but it's not impossible. The thing to watch out for there is social engineering, someone trying to get you to download something, or click a link. Be wary of where you click, and if you weren't expecting something from someone, don't click on it or open it.
Since you have decided to reformat and reinstall, if you have a backup program, you should backup your data before starting the new Windows installation. You don't need to backup program files, just backup your data. The programs can be reinstalled later. I would save your data to CD/DVD or an external device such as an external USB drive, but if you use a USB drive, be sure you have Autoplay and Autorun turned off.
When you install, since you will be installing from scratch, you need to be certain you delete the previous installation rather than do a Repair installation.
There is an excellent set of instructions at the below link complete with screenshots of what to expect at each step.
http://www.michaelstevenstech.com/cleanxpinstall.html#steps
You should print out those instructions before proceeding.
Have the installation discs or a saved install file handy for your antivirus and firewall.
Disconnect from the Internet before proceeding with the installation (pull your connection cable).
When you get to step 10b, choose to delete the partition by pressing "D". You will then be prompted to create a new partition in the empty space. This will remove all data from the deleted space.
After you reinstall Windows:
- Install your Antivirus.
- Install your Firewall.
- Reconnect to the Internet.
- Update your AntiVirus.
- Go to Windows Update and install SP3 and ALL critical updates.
Keep your other software updated. Many updates you find for software such as Adobe Reader, Java, Adobe Flash, are often to address vulnerabilities, and if a site says you need a newer version of a program like Adobe Reader or Flash to view something, don't do it. Go back to the author's site (like adobe.com) and obtain the current version. Some of those update notices on some sites, often from ads, are really attempts to infect you.
That was a lot. Any other questions?
--
Proud ASAP member since 2005 | |
goblinxxx
join:2009-06-15
| reply to TheJoker
hello joker
ive decided to reinstall the operating system so could you please send me the instructions to do so thanks, if it looks to complicated i will get the computer shop to do so.
i have a few questions i hope you can help me with
1)what does it mean when you say my system is being used for a relay site for porn? is it possible to trace who is doing this?
2)im pretty sure that i have had this trojan for quiet some time now, and have you any idea why my security mcafee hasnt managed to find it, is there any security out there that can stop things like this?
3)do you have any ideas how this could have got on my system?
4)i have some poker sites on my computer such as pokerstars fulltilt,as i play poker for a living, is it possible that these are infected and if i delete them, then download them again could they be infected after i have restored the operating system?
5)i have something called face on body also, i clicked on the properties of this and it said it was an .exe file could this be infected as i dont want to delete then download it again if theres any chance that this could be infected.
6)is it possible that websites i visit such as youtube, facebook, and my email could be compromised? what should i do about this would it be better for me to just set up new accounts with these?
7)is it possible that some jpeg pictures i have saved to disc are carrying the virut trojan? should i just delete these discs?
8)i have had to reinstall the operating system 2 or 3 times before because of this and each time the virut or the hacker keep coming back what would you recommend is the best course of action to stop this permanantly?
9)i asked before about changing my ip adress i have a router supplied by my isp who is british telecom, i really need to know how and what would be the best way to change my ip address because once a hacker has my ip address can he not keep trying to hack into my computer from this and therefore if it is changed they wont be able to do this anymore?
10)is it possible that with my system being infected i have passed this virus onto someone else through an application such as skype or facebook, i have to ask these questions joker as im a complete novice on a computer.
11) did you notice anything else on my computer that shouldnt have been there when you analysed the log files?
once again joker i thankyou for your assistance | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to goblinxxx
Your system may be being used as a relay site for porn. As one or more of the items you need to remove is apparently a backdoor application which can allow attackers to access your computer, that means your system is completely compromised and they can also steal passwords and personal data. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:
How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.
If you have a virut infection as suggested by ComboFix, the system is not salvageable. The virus will infect every executable and dll file in the system, and corrupt many of them leaving you with corrupt files that will not run when they are disinfected. You can read more about the infection and what it does, along with why a system infected with it is a lost cause for recovery:
»miekiemoes.blogspot.com/2009/02/···ing.html
I suggest you backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This is because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.
When you install, since you will be installing from scratch, you need to be certain you delete the previous installation rather than do a Repair installation.
If you want to continue further we can see what we can do, but the best recommendation would be to save your data and reinstall Windows.
Another option, since I see you have an Acronis backup program (apparently a version written for Maxtor), if the software had the capability (I'm not familiar with the Maxtor version), would be to boot from a restore disc and restore the system if you have a good backup set available. If your backups are on an attached USB drive, however, there is also the possibility that they could be infected as well, but it would be worth a try.
If you decide to reinstall, I can give you a good set of instructions for that.
Let me know what you decide to do.
--
Proud ASAP member since 2005 | |
goblinxxx
join:2009-06-15
| reply to TheJoker
hello joker here is the combofix log when i first tried the combofix it wouldnt work properly dont know whether this was because macafee wasnt swithched of properly but it said this,ALERT IT IS NOT SAFE TO CONTINUE
THE CONTENTS OF THE COMBOFIX PACKAGE HAVE BEEN COMPROMISED
PLEASE DOWNLOAD A FRESH COPY
NOTE YOU MAY BE INFECTED WITH A FILE PATCHING VIRUS "VIRUT"
as for the pictures they were of naked women  and also i have a router and another thing happened earlier in the day a command prompt box just appeared on my desktop screen for a few seconds then disappeared but this is a seperate incident and wasnt anything to dow ith the combofix, thankyou again.
86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.713 [GMT 1:00]
Running from: c:\documents and settings\Pauls Poker\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
/wow section - STAGE 9
The system cannot find the file c:\combofix\pev.exe.
The system cannot find the file c:\windows\PEV.exe.
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
/wow section - STAGE 24
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV.exe' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
/wow section - STAGE 48
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\everest tools\kerneld.wnt [x]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [x]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-06-17 01:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\d:\everest tools\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2420)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: ~,10time:~,-3
Pre-Run: 120,355,356,672 bytes free
Post-Run: 120,544,890,880 bytes free
193 --- E O F --- 2009-06-10 23:21
and here is the latest hjt log
Scan saved at 1:08:03 AM, on 6/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos/On···nner.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7247 bytes | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to goblinxxx
quote:
speedscanpro and performance centre werent there, neither was c:\program files\ascentive
They may have already been cleaned by a scanner you ran after posting your first HijackThis log, as it's no longer there either. :)
quote:
somebody has access to my computer and is placing pictures in the my pictures part of my computer
What type of pictures were being placed in your My Pictures?
quote:
could you please tell me if it is possible that someone has placed a mirror on my computer eg i mean they can see everything that i am doing etc is this possible for someone to do????
While you could become infected by something that would try to give someone access to your computer, you are running a software firewall that would prevent that. You would get a warning from the firewall that an unauthorized program was trying to access the Internet and ask you if you wanted to allow it or not.
quote:
what would be the best way for me to change my ip address???
What type of Internet connection do you have, i.e., dial-up, cable? If you have dial-up, there's no need, you have a different IP address each time you connect. Are you on cable without a router? Then you can try going to Start > Run, and typing IPCONFIG /RENEW. If you have a router, then that could be different, possibly having to click a Renew button in your Router setup.
Download ComboFix© by sUBs from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix
- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply along with a new HijackThis log, and note any errors encountered.
--
Proud ASAP member since 2005 | |
goblinxxx
join:2009-06-15
| reply to goblinxxx
hi joker firstly i would like to thankyou for taking the time to try and help me fix this problem, i followed all the steps you asked me to, and i removed zone alarm but speedscanpro and performance centre werent there, neither was c:\program files\ascentive, here is the hjt log file, also could you please tell me if it is possible that someone has placed a mirror on my computer eg i mean they can see everything that i am doing etc is this possible for someone to do???? and what would be the best way for me to change my ip address???
Scan saved at 2:58:10 PM, on 6/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos/On···nner.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7853 bytes
here is the mbam log file
Database version: 2284
Windows 5.1.2600 Service Pack 2
6/16/2009 3:04:05 PM
mbam-log-2009-06-16 (15-04-05).txt
Scan type: Quick Scan
Objects scanned: 85909
Time elapsed: 5 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
and here is the eset log fil
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=2ac09f67cc003a4c92ef18b53c0cfdf1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-15 06:07:20
# local_time=2009-06-15 07:07:20 (+0000, GMT Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5121 21 100 88 63974745312500
# scanned=44388
# found=1
# cleaned=1
# scan_time=1290
C:\Poker\Chilipoker\_SetupCasino_2f48_EN[1].exe a variant of Win32/PTCasino application (cleaned by deleting - quarantined) 00000000000000000000000000000000
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=2ac09f67cc003a4c92ef18b53c0cfdf1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-16 02:22:48
# local_time=2009-06-16 03:22:48 (+0000, GMT Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5121 21 100 88 64704025937500
# scanned=41734
# found=0
# cleaned=0
# scan_time=1029
esets_scanner_update returned -1 esets_gle=53251
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=2ac09f67cc003a4c92ef18b53c0cfdf1
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-16 02:29:55
# local_time=2009-06-16 03:29:55 (+0000, GMT Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5121 21 100 88 64708290937500
# scanned=6510
# found=0
# cleaned=0
# scan_time=89
e
hope this is correct for you joker thankyou again | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to goblinxxx
Re: hjt log someone is placing pictures on my comp
Hi goblinxxx
I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.
Your logs for ESET and MBAM were cut off. Please post the two logs again in your next reply.
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.
Please don't forget this step to disable teatimer.
You appear to be running McAfee Personal Firewall, and ZoneAlarm. You should have more than one software firewall installed, as they will conflict with each other, and you actually end up with less protection, not more. You should decide which you want to keep, and completely uninstall the other. I would uninstall ZoneAlarm as the McAfee Personal Firewall is part of your security suite.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Speedscanpro
Performance Center
Then using Windows Explorer, delete the following folder if still there:
C:\Program Files\Ascentive
Clean your Cache and Cookies in IE:
-Close all instances of Outlook Express and Internet Explorer
-Go to Control Panel > Internet Options > General tab
-Click the "Delete Cookies" button
-Next to it, Click the "Delete Files" button
-When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Private Data).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
-Go to start > run and type: cleanmgr and click ok.
-Let it scan your system for files to remove.
-Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
-Press OK to remove them.
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Pauls Poker\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Pauls Poker\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - »www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - »www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra button: InterCasino $$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - »www.intercasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - »www.intercasino.com (file missing) (HKCU)
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - »»https://plugins.valueactive.eu/flashax/iefax.cab
Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.
Please post a new HijackThis log, and the logs from ESET's online scanner and MBAM that were cut off in your first post, and note any errors encountered.
--
Proud ASAP member since 2005 | |
goblinxxx
join:2009-06-15
| somebody has access to my computer and is placing pictures in the my pictures part of my computer, so if they can do this what else must they be doing to my computer while they have access to it, the other day my speakers started making the most horrendous noise as if something was being downloaded onto my computer,
i have followed steps 1 apart from the ad-aware bit i didnt do this because i had to pay for it, and ive followed steps 2, and 3 completly here is the hijack this log and the eset online and malware logs also.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Pauls Poker\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Pauls Poker\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - »www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - »www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - »www.intercasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - »www.intercasino.com (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos/On···nner.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - »https://plugins.valueactive.eu/flashax/iefax.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11348 bytes
heres eset log now
signature="$CHICAGO$"
AdvancedINF=2.0
[Setup Hooks]
hookRegOcx=hookRegOcx
[hookRegOcx]
run=%EXTRACT_DIR%\ESETSmartInstaller.exe -i #version=1.0.0.5863
heres malaware log now
signature="$CHICAGO$"
AdvancedINF=2.0
[Setup Hooks]
hookRegOcx=hookRegOcx
[hookRegOcx]
run=%EXTRACT_DIR%\ESETSmartInstaller.exe -i #version=1.0.0.5863 | |
|
