|
|
|
A new battle of adware
|
|
|
Angryguy
Newbie
|
4. May 2007 @ 18:00 |
Link to this message
|
My nephew's computer is infected with some sort of adware/malware. His computer was running slowly, and (more importantly) random advertisements kept popping up.
AVG Anti-Virus found nothing. Ad-Aware and Spybot found a lot of cookies and some junk in temp files, but haven't identified the source of the problem. Avast finally detected "Win32:Adware." I ran through both anti-virus and spyware utilities, plus an online virus scanner (ewido) and ran HiJack this, removing a few suspicious entries.
The system seems to be running better now (no reports of random advertisements for the past few days), but I think he's still got something on there. Avast popped up earlier tonight that it blocked some jpg file from being download that was infected with a Virus/Trojan, however to my knowledge he had no websites open at the time except an AOL (the software) homepage.
The HijackThis logfile is below. Is there anything on there that I missed?
fyi: I am accessing his computer remotely using LogMeIn, which explains several of the items in the log. Avast and AVG are both installed atm, given Avast's greater success at finding problems, I'll likely uninstall AVG when I'm done.
Quote:
Logfile of HijackThis v1.99.1
Scan saved at 9:54:59 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...arm1=seconduser
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ywvsporh.dll",realset
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20278.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B5BD32-9CFF-4D13-9454-A6471496607C}: NameServer = 167.206.3.155,167.206.3.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDA14335-56F2-4FEE-861F-97A7120C71DE}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Windows Event Viewer (EventViewer) - Unknown owner - C:\WINDOWS\system32\spoolsmc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
|
|
Advertisement
|
 |
|
|
|
blake123
Suspended due to non-functional email address
|
4. May 2007 @ 20:59 |
Link to this message
|
get this please
http://www.filepedia.com/desktop_softwar...mitfraudfix.cfm
If you can go in to safe mode but i doght you can because you are accesing it remotely,if you cant put smitfraudfix in local disk c
and run.
# Double-click smitfraudfix.exe
# Select 2 and hit Enter to delete infect files.
# You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
# The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
# A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
post report please
|
|
Angryguy
Newbie
|
5. May 2007 @ 18:12 |
Link to this message
|
Thanks. It doesn't look like it found much, so maybe his computer is finally cleaned up.
Quote:
SmitFraudFix v2.176
Scan done at 22:02:28.18, Sat 05/05/2007
Run from C:\Documents and Settings\Compaq_Owner\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 16.92.3.242
DNS Server Search Order: 16.92.3.243
DNS Server Search Order: 16.81.3.243
DNS Server Search Order: 16.118.3.243
Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 167.206.3.155
DNS Server Search Order: 167.206.3.154
Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 205.188.146.145
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A2B5BD32-9CFF-4D13-9454-A6471496607C}: NameServer=167.206.3.155,167.206.3.154
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B79CD0E0-7DB7-4724-A9D0-ED3179536593}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FDA14335-56F2-4FEE-861F-97A7120C71DE}: NameServer=205.188.146.145
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A2B5BD32-9CFF-4D13-9454-A6471496607C}: NameServer=167.206.3.155,167.206.3.154
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B79CD0E0-7DB7-4724-A9D0-ED3179536593}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FDA14335-56F2-4FEE-861F-97A7120C71DE}: NameServer=205.188.146.145
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A2B5BD32-9CFF-4D13-9454-A6471496607C}: NameServer=167.206.3.155,167.206.3.154
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B79CD0E0-7DB7-4724-A9D0-ED3179536593}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
|
|
blake123
Suspended due to non-functional email address
|
6. May 2007 @ 03:48 |
Link to this message
|
|
yeah,it looks pretty good but post another hijack this log to make sure we got it all.
This message has been edited since posting. Last time this message was edited on 6. May 2007 @ 04:16
|
Member
|
6. May 2007 @ 07:01 |
Link to this message
|
No. Please do not fix if you don't know what you are doing blake123!
Angryguy: You have Vundo-Trojan in your computer. Please rename HijackThis to scanner.exe and post new HijackThis log. Then blake123 can give you Vundofix instructions. If you can?
Virustorjunta.net asiantuntevaa palvelua ilman peeloilua.
Hjt-lokit tänne |
|
Advertisement
|
|
|
|
blake123
Suspended due to non-functional email address
|
6. May 2007 @ 08:24 |
Link to this message
|
my bad i thought there had to be a matching O2, and O20 entry for it to be vundo.But if it hides the lines its also vundo thanks for correcting me.
# Download Vundo Fix and save it to your desktop.
# When it has completed downloading, double-click VundoFix.exe to run it.
# Click the Scan for Vundo button.
# Once it's done scanning, click the Remove Vundo button.
# You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.
# When completed, it will prompt that it will shutdown your computer, click the OK button.
# When the computer has shutdown, turn your computer back on.
vundofix
http://www.atribune.org/ccount/click.php?id=4
This message has been edited since posting. Last time this message was edited on 6. May 2007 @ 09:55
|
|
