InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : I dont know what's going on !!!? |
|
Answer» If your PC is that badly compromised, I'd reformat and take security measures as soon as or before you connect to the Internet. Quote from: Raptor on April 30, 2007, 08:12:03 AM If your PC is that badly compromised, I'd reformat and take security measures as soon as or before you connect to the Internet. secondSo, what do I do now? It's not nearly as bad as it was I just cant reply to emails nor myspace msgs Other than that things are good Well, you're still not free of infection. HijackThis isn't an actual cleaning tool. The files have to be removed manually. C:\WINNT\svchost.exe This file is still on your computer. Could you upload it to VirusTotal and post the log here? Your Quicktime is still infected, so I WOULD suggest fixing the related entry mentioned earlier, uninstalling Quicktime, running CClener (both Cleaner and Issues; install without Yahoo! toolbar), and then reinstalling Quicktime. The thing that concerns me most is the password stealer. You can do a search for IExplorer.dll and post the results here, but I honestly don't know if we'll really be able to get rid of this. I could never be comfortable enough to say that it's gone, so maybe a reformat would be the best option... I'd like to know what oddjob has to say.I couldnt get total virus or virustotal to load on windows 2000, however super antiware is showing NOTHING anymore! It was showing hundreds of problems! Hijack this is showing the following: Logfile of HijackThis v1.99.1 Scan saved at 7:23:56 PM, on 5/1/2007 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\svchost.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\Program Files\Common Files\AOL\1148324149\ee\AOLSoftware.exe c:\program files\partners\busboy.exe c:\program files\partners\bbpart11.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\AdsGone\adsgone.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Documents and Settings\Interstar.INTERSTA-R26OB0\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: @msdxmLC.dll,[emailprotected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148324149\ee\AOLSoftware.exe O4 - HKLM\..\Run: [agpart] C:\Program Files\Partners\AGPART11.EXE O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt O4 - HKCU\..\Run: [xrunwin] C:\WINNT\svchost.exe O4 - HKCU\..\Run: [Yahoo! PAGER] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://leads400.landstar.com/HFAccess/HFDSP.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{9CC8DFB8-6269-4F66-A697-155CC2CAF08C}: NameServer = 166.102.165.11,166.102.165.13 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing) This log has all of the same major problems as before. I get the distinct feeling that you haven't been following any of my instructions... VirusTotal is just a website, it's not OS-specific.I copied and pasted what hijack this said and I sent it to virus total so I'll let you know what they say.This is what Virus Total told me: Antivirus Version Update Result AhnLab-V3 2007.5.3.0 05.02.2007 no virus found AntiVir 7.4.0.15 05.02.2007 no virus found Authentium 4.93.8 05.02.2007 no virus found Avast 4.7.997.0 05.03.2007 no virus found AVG 7.5.0.467 05.02.2007 no virus found BitDefender 7.2 05.03.2007 no virus found CAT-QuickHeal 9.00 04.30.2007 no virus found ClamAV devel-20070416 05.03.2007 no virus found DrWeb 4.33 05.02.2007 no virus found eSafe 7.0.15.0 05.03.2007 no virus found eTrust-Vet 30.7.3611 05.02.2007 no virus found Ewido 4.0 05.02.2007 no virus found FileAdvisor 1 05.03.2007 no virus found Fortinet 2.85.0.0 05.02.2007 no virus found F-Prot 4.3.2.48 05.02.2007 no virus found F-Secure 6.70.13030.0 05.03.2007 no virus found Ikarus T3.1.1.7 05.02.2007 no virus found Kaspersky 4.0.2.24 05.03.2007 no virus found McAfee 5022 05.02.2007 no virus found Microsoft 1.2405 05.02.2007 no virus found NOD32v2 2235 05.02.2007 no virus found Norman 5.80.02 05.02.2007 no virus found Panda 9.0.0.4 05.02.2007 no virus found Prevx1 V2 05.03.2007 no virus found Sophos 4.17.0 05.01.2007 no virus found Sunbelt 2.2.907.0 05.03.2007 no virus found Symantec 10 05.03.2007 no virus found TheHacker 6.1.6.104 04.15.2007 no virus found VBA32 3.11.4 05.02.2007 no virus found VirusBuster 4.3.7:9 05.02.2007 no virus found Webwasher-Gateway 6.0.1 05.02.2007 no virus found Aditional Information File size: 31232 bytes MD5: 7960edcdac55907840837cd4c32bbab9 SHA1: 67de61729e5e011a986fa8ce3d69e54d9af342d d which fileQuote from: unlovedwarrior on May 02, 2007, 07:54:21 PM which fileI think it's this one from reply #18 above ..... C:\WINNT\svchost.exe *************** Is your Norton Internet Security (antivirus + firewall) actully running? It seems to be loaded on your system but looks to be inactive. You cannot expect to stay safe using the internet if you don't have (at least) these two running at all times. Please let us know. *************** This LATEST log is full of Trojans. Download the fully working trial version of Trojanhunter from here .... http://www.misec.net/ Install it on your computer then scan with it. Let it fix anything it wants to. *************** Lastly go to your HJT folder and find this file (below in BOLD) ... C:\Documents and Settings\Interstar.INTERSTA-R26OB0\Desktop\HijackThis.exe Right click on it and choose "rename" ... Type the word "new" in front to rename thus ..... newHijackThis.exe Rescan your computer with the newly named file and post the resulting log. *************** Please also give us an an update on how the computer is working now. *************** Footnote >>> I do believe your Service Pack is out of date. SP4 is available here BUT DO NOT LOAD IT YET.... http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.mspx (Just bookmark the site for later use; we'll tell you when) OJThanks for the log. However, I still don't trust that file. It's not in the standard folder, which is the biggest red flag. Also, I've looked around a bit more and although there's very little info on xrunwin, I've noticed that every time it shows up in a log, it's accompanied by the IExplorer.dll password stealer. Seems fishy to me. Unless someone can make me believe otherwise, I'll assume this is malicious. The infection you have is a little tricky and there is no surefire way of removing it yet, so all we can do at this point is try a few different things and hope they work... First, download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Also... Download DAFT and save it to your Desktop:
.bat .ini .reg .txt
I have included a batch file (FixPWS.bat). Unzip the file to your desktop, reboot into Safe MODE, and double-click on FixPWS. Wait a few seconds and when the command window closes, restart your computer. You might want to go ahead and uninstall QuickTime. Once you do that, use CCleaner to clean the temp files and registry keys. Afterwards, you may reinstall QuickTime if you wish. Once you have done all of this, try running a virus scan. Any luck? What happens? In addition to the logs I've asked for, post yet another HJT log (rename it first like oddjob suggests) to see if we've made a dent at all. And be sure to let me know how things are running. If you are still having problems, I see a reformat in your immediate future. [cleaning up - attachment deleted by admin]what did avg anti-spyware and superanti-spyware find?? |
|