how-to block ads
|
|
Share Topic
 |
 |
|
|
|
 TheJokerPremium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5 | reply to goblinxxx
Re: hjt log for joker quote:
speedscanpro and performance centre werent there, neither was c:\program files\ascentive
They may have already been cleaned by a scanner you ran after posting your first HijackThis log, as it's no longer there either. :)
quote:
somebody has access to my computer and is placing pictures in the my pictures part of my computer
What type of pictures were being placed in your My Pictures?
quote:
could you please tell me if it is possible that someone has placed a mirror on my computer eg i mean they can see everything that i am doing etc is this possible for someone to do????
While you could become infected by something that would try to give someone access to your computer, you are running a software firewall that would prevent that. You would get a warning from the firewall that an unauthorized program was trying to access the Internet and ask you if you wanted to allow it or not.
quote:
what would be the best way for me to change my ip address???
What type of Internet connection do you have, i.e., dial-up, cable? If you have dial-up, there's no need, you have a different IP address each time you connect. Are you on cable without a router? Then you can try going to Start > Run, and typing IPCONFIG /RENEW. If you have a router, then that could be different, possibly having to click a Renew button in your Router setup.
Download ComboFix© by sUBs from one of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix
- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply along with a new HijackThis log, and note any errors encountered.
--
Proud ASAP member since 2005 | | |
|
| hello joker here is the combofix log when i first tried the combofix it wouldnt work properly dont know whether this was because macafee wasnt swithched of properly but it said this,ALERT IT IS NOT SAFE TO CONTINUE
THE CONTENTS OF THE COMBOFIX PACKAGE HAVE BEEN COMPROMISED
PLEASE DOWNLOAD A FRESH COPY
NOTE YOU MAY BE INFECTED WITH A FILE PATCHING VIRUS "VIRUT"
as for the pictures they were of naked women  and also i have a router and another thing happened earlier in the day a command prompt box just appeared on my desktop screen for a few seconds then disappeared but this is a seperate incident and wasnt anything to dow ith the combofix, thankyou again.
86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.713 [GMT 1:00]
Running from: c:\documents and settings\Pauls Poker\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
/wow section - STAGE 9
The system cannot find the file c:\combofix\pev.exe.
The system cannot find the file c:\windows\PEV.exe.
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
/wow section - STAGE 24
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV.exe' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
/wow section - STAGE 48
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
'PEV' is not recognized as an internal or external command
((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\everest tools\kerneld.wnt [x]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [x]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-06-17 01:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\d:\everest tools\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2420)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: ~,10time:~,-3
Pre-Run: 120,355,356,672 bytes free
Post-Run: 120,544,890,880 bytes free
193 --- E O F --- 2009-06-10 23:21
and here is the latest hjt log
Scan saved at 1:08:03 AM, on 6/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos/On···nner.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7247 bytes | |
TheJokerPremium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5 | Your system may be being used as a relay site for porn. As one or more of the items you need to remove is apparently a backdoor application which can allow attackers to access your computer, that means your system is completely compromised and they can also steal passwords and personal data. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:
How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.
If you have a virut infection as suggested by ComboFix, the system is not salvageable. The virus will infect every executable and dll file in the system, and corrupt many of them leaving you with corrupt files that will not run when they are disinfected. You can read more about the infection and what it does, along with why a system infected with it is a lost cause for recovery:
»miekiemoes.blogspot.com/2009/02/···ing.html
I suggest you backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This is because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.
When you install, since you will be installing from scratch, you need to be certain you delete the previous installation rather than do a Repair installation.
If you want to continue further we can see what we can do, but the best recommendation would be to save your data and reinstall Windows.
Another option, since I see you have an Acronis backup program (apparently a version written for Maxtor), if the software had the capability (I'm not familiar with the Maxtor version), would be to boot from a restore disc and restore the system if you have a good backup set available. If your backups are on an attached USB drive, however, there is also the possibility that they could be infected as well, but it would be worth a try.
If you decide to reinstall, I can give you a good set of instructions for that.
Let me know what you decide to do.
--
Proud ASAP member since 2005 | |
| hello joker
ive decided to reinstall the operating system so could you please send me the instructions to do so thanks, if it looks to complicated i will get the computer shop to do so.
i have a few questions i hope you can help me with
1)what does it mean when you say my system is being used for a relay site for porn? is it possible to trace who is doing this?
2)im pretty sure that i have had this trojan for quiet some time now, and have you any idea why my security mcafee hasnt managed to find it, is there any security out there that can stop things like this?
3)do you have any ideas how this could have got on my system?
4)i have some poker sites on my computer such as pokerstars fulltilt,as i play poker for a living, is it possible that these are infected and if i delete them, then download them again could they be infected after i have restored the operating system?
5)i have something called face on body also, i clicked on the properties of this and it said it was an .exe file could this be infected as i dont want to delete then download it again if theres any chance that this could be infected.
6)is it possible that websites i visit such as youtube, facebook, and my email could be compromised? what should i do about this would it be better for me to just set up new accounts with these?
7)is it possible that some jpeg pictures i have saved to disc are carrying the virut trojan? should i just delete these discs?
8)i have had to reinstall the operating system 2 or 3 times before because of this and each time the virut or the hacker keep coming back what would you recommend is the best course of action to stop this permanantly?
9)i asked before about changing my ip adress i have a router supplied by my isp who is british telecom, i really need to know how and what would be the best way to change my ip address because once a hacker has my ip address can he not keep trying to hack into my computer from this and therefore if it is changed they wont be able to do this anymore?
10)is it possible that with my system being infected i have passed this virus onto someone else through an application such as skype or facebook, i have to ask these questions joker as im a complete novice on a computer.
11) did you notice anything else on my computer that shouldnt have been there when you analysed the log files?
once again joker i thankyou for your assistance | |
TheJokerPremium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5 | quote:
1)what does it mean when you say my system is being used for a relay site for porn?
If someone is uploading porn to your system, it's probably to make it available for others to download. The same thing is sometimes done with Pirated software, where it's uploaded to an unsuspecting infected user, and it's there for others to download using your bandwidth to do it instead of theirs.
quote:
is it possible to trace who is doing this?
Not really.
quote:
2)im pretty sure that i have had this trojan for quiet some time now, and have you any idea why my security mcafee hasnt managed to find it, is there any security out there that can stop things like this?
No security software will progect you from everything, and many security suites are compromises, and often larger than need be because they try to provide every function possible, often simply to compete with another company's feature. I would recommend a good antivirus program, a good software firewall, and a good anti-malware program.
quote:
4)i have some poker sites on my computer such as pokerstars fulltilt,as i play poker for a living, is it possible that these are infected and if i delete them, then download them again could they be infected after i have restored the operating system?
PartyPoker was always listed as a possible threat, although I don't know the specific reason. The best advice I could give would be to refer you to this older post at SWI:
»www.spywareinfoforum.com/index.p···ic=78252
quote:
5)i have something called face on body also, i clicked on the properties of this and it said it was an .exe file could this be infected as i dont want to delete then download it again if theres any chance that this could be infected.
I found these:
http://www.funphotor.com/face-on-body.html
http://www.faceonbody.com/
I'm not familiar with either, but a quick search didn't find anything that stuck out. Neither one, however, had a privacy statement on their web site that I noticed, and I would be concerned about that.
quote:
6)is it possible that websites i visit such as youtube, facebook, and my email could be compromised? what should i do about this would it be better for me to just set up new accounts with these?
Your accounts there are likely fine, just change your passwords from a clean, uninfected system. Social networking sites, however, are highly targets by criminals that want to infect your system, and they should never be placed in the Trusted Zone. Infected graphics is often a problem at those sites, where a graphic or video won't display, and you get a message that you need to download a new CODEC to view it, and that's often what infects you.
quote:
7)is it possible that some jpeg pictures i have saved to disc are carrying the virut trojan? should i just delete these discs?
You would probably be more likely to find infected video/audio files, but a jpeg can be infected. I would not reinstall any files without scanning the discs throuroughly.
quote:
8)i have had to reinstall the operating system 2 or 3 times before because of this and each time the virut or the hacker keep coming back what would you recommend is the best course of action to stop this permanantly?
Install a good, up-to-date virus scaner and a good firewall, and not reinstall anything without scanning it carefully. Since this has happened before, I would take the time sys sytematically scan all your discs if you can, as you may have something that is infected on them. Include your flash/USB drives. They are a common source of infection, and you should have autoplay/autorun turned off. You can do that with MS PowerTools, and Panda has utilities for that:
»research.pandasecurity.com/archi···ine.aspx
Also, be careful where you surf. If you surf risky sites, you are more likely to get infected. Pirated software sites can infect you without even having downloaded anything. P2P software is a problem, because while the program itself may be clean, the networks themselves are often riddled with malware.
quote:
9)i asked before about changing my ip adress i have a router supplied by my isp who is british telecom, i really need to know how and what would be the best way to change my ip address because once a hacker has my ip address can he not keep trying to hack into my computer from this and therefore if it is changed they wont be able to do this anymore?
A properly configured NAT router itself should reject any communications attempts that did not originate from your system. With that, and a good software firewall and antivirus, that will provide a good deal of protection. I would also recommend a good anti-malware program like Malwarebytes' Anti-Malware. In your case with previous infections, I would recommend the paid version for real-time protection. For an antivirus program, If you were looking for a free program, I'd recommend Avira AntiVir PersonalEdition Classic available at http://www.free-av.com. Kaspersky is also excellent, but it not free. Both are excellent scanners. Two excellent free firewalls are Outpost Firewall Free or Online Armor Free. Either one would be a good choice. There is a tutorial on understanding firewalls at »www.bleepingcomputer.com/forums/···l60.html and a tutorial for Outpost Free at »www.outpostfirewall.com/forum/sh···st179658. I would also recommend SpywareBlaster, and a good HOSTS file like MVPS HOSTS File.
quote:
10)is it possible that with my system being infected i have passed this virus onto someone else through an application such as skype or facebook
I doubt it, but it's not impossible. The thing to watch out for there is social engineering, someone trying to get you to download something, or click a link. Be wary of where you click, and if you weren't expecting something from someone, don't click on it or open it.
Since you have decided to reformat and reinstall, if you have a backup program, you should backup your data before starting the new Windows installation. You don't need to backup program files, just backup your data. The programs can be reinstalled later. I would save your data to CD/DVD or an external device such as an external USB drive, but if you use a USB drive, be sure you have Autoplay and Autorun turned off.
When you install, since you will be installing from scratch, you need to be certain you delete the previous installation rather than do a Repair installation.
There is an excellent set of instructions at the below link complete with screenshots of what to expect at each step.
http://www.michaelstevenstech.com/cleanxpinstall.html#steps
You should print out those instructions before proceeding.
Have the installation discs or a saved install file handy for your antivirus and firewall.
Disconnect from the Internet before proceeding with the installation (pull your connection cable).
When you get to step 10b, choose to delete the partition by pressing "D". You will then be prompted to create a new partition in the empty space. This will remove all data from the deleted space.
After you reinstall Windows:
- Install your Antivirus.
- Install your Firewall.
- Reconnect to the Internet.
- Update your AntiVirus.
- Go to Windows Update and install SP3 and ALL critical updates.
Keep your other software updated. Many updates you find for software such as Adobe Reader, Java, Adobe Flash, are often to address vulnerabilities, and if a site says you need a newer version of a program like Adobe Reader or Flash to view something, don't do it. Go back to the author's site (like adobe.com) and obtain the current version. Some of those update notices on some sites, often from ads, are really attempts to infect you.
That was a lot. Any other questions?
--
Proud ASAP member since 2005 | |
| just a couple more joker my computer has a number paul f074 etc can this number be changed as the hacker will have this number.
ive copied maleware bytes and spybot to cd and mcafee but what i cant workout is when i load the cd back up how do i put macafee back onto my desktop or system tray so i can just click on it and it will start scanning? i need to do this dont i as you said i shouldnt go back online before these components are reinstalled after the reinstallation of the operating system,if this cant be done i will have to go online wont i to do this? once again many many thanks for your help joker. | |
TheJokerPremium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5 | quote:
my computer has a number paul f074 etc can this number be changed as the hacker will have this number.
I don't understand what you mean this number is. If you have a software firewall installed,
quote:
ive copied maleware bytes and spybot to cd and mcafee but what i cant workout is when i load the cd back up how do i put macafee back onto my desktop or system tray so i can just click on it and it will start scanning?
After you reinstall Windows, simply insert the CD and copy the install file for those two programs (that you wrote to the CD) to the Desktop, and double-click on them to start the installer. After they are installed, it will be safe to go back online and update everything.
--
Proud ASAP member since 2005 | |
|
