Username:    Password:    Remember me     
Google
 

Forums


Malwareteks :: Forums :: Malware Support :: Resolved Malware Threads
 
<< Previous thread | Next thread >>
[RESOLVED] Vundo and possibly others...?
Go to page  [1] 2
Moderators: ShadowPuterDude, tayspen, D3m3nt3d, Brandon, Neal, jholland1964, TurcoLoco, Windsor, JeanInMontana, RatHat, MrCharlie, evilfantasy
This thread is now closed
Author Post
dreamr
Wed Aug 09 2006, 11:10PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Hey,
A really nice lady, Judy, was helping me earlier and we were kind of 'interrupted,' so I am posting here to see if she'd be nice enough to continue helping me.

The problem I'm having is that one certain website no longer works for me. All I get is a "page cannot be displayed" error. It's not the site itself because it seems that most everyone else can get on the site without a problem. There are just a few of us that have come down with this problem (and it started around the same exact time two days ago for us all). I can access the site fine on my computer at work. It's just my home computer that won't load the page.

Over the past day, I have done tonnnns of scans with Panda, BitDefender, ewido, ad-aware, spybot s&d, and VundoFix. I was asked to post the four logs I did this morning and last night: VundoFix, ewido, SmitFraudFix, and a new HJT log. So here goes...

Thanks again for helping!
1155179456_17_FT0_hijackthis88063.txt
1155179456_17_FT0_vundofix.txt
1155179456_17_FT0_rapport.txt
1155179456_17_FT0_ewido8820062.txt

[ Edited Mon Jul 21 2008, 08:54AM ]
Back to top
jholland1964
Wed Aug 09 2006, 11:44PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Actually your logs look good, Ewido found and quarantined cydor...am going to do a bit more checking on this. It comes into the computer with Kazaa.
Have a question or two though;
This entry;
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook>>>This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers
Do you use numerous monitors on this home computer?

Also, how many user accounts are on the computer? If there are more than one I will need HJT logs from each user.

also; OmniPass is on the computer. It is an ok program but am wondering why you need a password manager, if that is what this is, for the home computer. Or do you also work from home?
Also, what version of Java are you running? Most current version is Java Runtime Environment Version 5.0 Update 6.
If you have an older version then this should absolutely be updated from here
http://www.java.com/en/download/index.jsp

Let me do some checking on this cydor found by ewido.
Judy
Back to top
dreamr
Wed Aug 09 2006, 11:54PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
I don't use more that one monitor. So I have no idea why that is there...but that doesn't sound good...

And I don't use OmniPass either.

Um, I think there's just the administrator and myself. Which, I'm the only person who uses this computer, so I AM the administrator. I have no idea why there is the two separate things. But when I turn on my computer, it automatically loads MY desktop, I don't have to 'login' or anything like that...

I only see the "administrator" account when I go into safe mode.

[ Edited Wed Aug 09 2006, 11:57PM ]
Back to top
jholland1964
Wed Aug 09 2006, 11:57PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Just noticed something else. Your Internet Explorer is out of date! There is a new version;
You are running Windows XP SP1 (WinNT 5.01.2600) and the newest version is 6.00.2900.2180!

Go here to download this version http://www.microsoft.com/windows/ie/ie6/downloads/default.mspx#ELC

DON'T download the Beta version IE7, this is basically a test version. Just update your IE6 to it's latest version. Believe you will have to scroll down on that page to get to the IE 6 updates.

Actually you really need to update your XP to XP SP2 but that can wait until we are certain all the other items are taken care of. Actually I believe you can still order an update disk for SP 2 which makes it easy to update. Check on the site I have given you to see if you can. The disk is free.
Back to top
jholland1964
Wed Aug 09 2006, 11:59PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
dreamr wrote ...

I don't use more that one monitor. So I have no idea why that is there...but that doesn't sound good...

And I don't use OmniPass either.

Um, I think there's just the administrator and myself. Which, I'm the only person who uses this computer, so I AM the administrator. I have no idea why there is the two separate things. But when I turn on my computer, it automatically loads MY desktop, I don't have to 'login' or anything like that...

I only see the "administrator" account when I go into safe mode.


If you don't use either of those programs then personally, I would uninstall them via Control Panel Add/Remove
Back to top
dreamr
Thu Aug 10 2006, 12:02AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok. Java is updated and so is IE.

What would that 'numerous monitors' program be in the add/remove programs?

[ Edited Thu Aug 10 2006, 12:04AM ]
Back to top
ShadowPuterDude
Thu Aug 10 2006, 12:05AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
The latest Java is Version 5.0 Update 7. The Java download site hasn't been updated in sometime to reflect the update.

This thread has the links to the latest Java version.

Sun Java Updates - Very critical

On a side note, I have been upgrading the forums software. If you encounter anything that doesn't seem to work correctly just report it in the Bug Reports/Site Updates/Enhancements/Site News forum.

Now I'll butt out.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
jholland1964
Thu Aug 10 2006, 12:09AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Gonna have to check on that "numerous monitor" program...don't worry about it right now.
Do want you to do something else though. I want to be sure that cydor thingy is gone. A good way to check is do this;
download WebRoot SpySweeper from HERE (It's a 2 week trial):
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10192729.html
* Click Download Now to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, close the program.

Update your anti-virus program, but don't scan yet. Once the update has completed then close the program.

Then Reboot to Safe Mode
Run a FULL SYSTEM scan with your anti-virus program and have it fix all that is found.

Open Spysweeper.

* click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.

Reboot to normal mode and come back here and post the Spysweeper log.
Back to top
jholland1964
Thu Aug 10 2006, 12:15AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
"The latest Java is Version 5.0 Update 7. The Java download site hasn't been updated in sometime to reflect the update."

Thanks ShadowPuterDude! I need an update too then!
Back to top
dreamr
Thu Aug 10 2006, 07:40AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok, I did that and saved the log, BUT it seems you can't have it 'remove' the items without having an 'active subscription' which costs $29.95. And now I can't seem to find the log I saved...hmm...

Oh, and that Java page had update 7 last night, but this morning, it now has Update 8. So I guess you both need to update again. lol

[ Edited Thu Aug 10 2006, 07:45AM ]
Back to top
dreamr
Thu Aug 10 2006, 08:29AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Sorry for the double post, but it wouldn't let me add the file by simply editing my above post.

Anyway, here is the SpySweeper log...

(And the little icons in my task tray are down to three? Is that normal? It just shows the internet connection, my anti-virus program, and the spysweeper icon. Even the little "volume" icon is gone...?)


1155212981_17_FT327_spy_sweeper_session_log1.txt

[ Edited Thu Aug 10 2006, 08:31AM ]
Back to top
jholland1964
Thu Aug 10 2006, 11:15AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
I was afraid that would happen. The two week free trial with fixes link for Spysweeper I usually use went down the tubes with the IANAG web site. I am going to have to read through the log and come up with the fixes of items noted...several trojans there for one thing. Give me a few hours and I will post some fixes.
Thanks for the heads up on the Java updates! Am off to do those right now!!
Be back as soon as I can.
Judy
Back to top
dreamr
Thu Aug 10 2006, 11:51AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Thank you so much for all your hard work, Judy. I really do appreciate it.

And just as a reminder, I have to go to work in about an hour, but as always, I'll be back around 6 PM EST.
Back to top
jholland1964
Thu Aug 10 2006, 03:10PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Dreamr, don't know if this will work. But totally uninstall that Spysweeper program I had you download. Do a search too for any files named Spysweeper or Webroot and remove those.
Now go to this link and on the top post is a link for the trial download. Try that one. I just used it and it would remove. Don't know if you will be able to do that since you just did the other download but let's try it. Follow all the instructions I gave you before and see if it will remove the items found.

http://forums.pcpitstop.com/index.php?s=28568d8ab59d0029856316245c0dfba7&showtopic=123031&pid=1241375&st=0&#entry1241375

I HAVE saved your other log and am working on removal of the things found. But let's try this and see if it works, if it doesn't nothing lost nothing gained.
Judy
Back to top
dreamr
Thu Aug 10 2006, 09:01PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok. Done with those. Here is the log, as well as a new HJT log.


1155258103_17_FT327_spysweeper1.txt
1155258103_17_FT327_hijackthis810061.txt

[ Edited Thu Aug 10 2006, 09:02PM ]
Back to top
jholland1964
Thu Aug 10 2006, 11:24PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Both your logs look ok to me. All the items showing in that first Spysweeper scan were quarantined with this scan. You should go into Spysweeper and empty that quarantine file. and disable the background scanning because it will be useless anyway in 14 days.
Also, Disable System Restore in order to set new and clean restore points. Do this by Right Clicking My Computer. Choose Properties. Then System Restore Tab. Place a checkmark in Turn Off System Restore. You will be asked if your are sure, say yes. System Restore will then be Disabled. Close the System Properties box. Wait a minute or two and do the same but this time remove that checkmark and System Restore will be turned back on.
You also should go to the Microsoft website and do the updatesnow. Definitely the Internet Explorer update as I stated above. Remember just update to the newest version of IE 6 don't do IE7
Have you tried the website you cannot access again yet? Try it and see what happens.

[ Edited Thu Aug 10 2006, 11:33PM ]
Back to top
dreamr
Thu Aug 10 2006, 11:39PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok, just did both of those. And I just tried the website and it still gives me the same error. I think I'm gonna cry.
Back to top
jholland1964
Thu Aug 10 2006, 11:48PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
What is the exact wording of the error...give it all, numbers etc.
Back to top
dreamr
Thu Aug 10 2006, 11:52PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
I took a screencap:

http://img135.imageshack.us/my.php?image=hexerroran1.png

[ Edited Thu Aug 10 2006, 11:53PM ]
Back to top
jholland1964
Thu Aug 10 2006, 11:55PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Sorry, am getting url not valid.
Back to top
jholland1964
Thu Aug 10 2006, 11:56PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Add them as attachments from your computer itself. Save them in your briefcase or someplace like that and then upload them
Back to top
dreamr
Thu Aug 10 2006, 11:57PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok, I'll copy/paste then...

The window says "Cannot find server"...and the page reads:

The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

If you typed the page address in the Address bar, make sure that it is spelled correctly.

To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
If your Network Administrator has enabled it, Microsoft Windows can examine your network and automatically discover network connection settings.
If you would like Windows to try and discover them,
click Detect Network Settings
Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.



Cannot find server or DNS Error
Internet Explorer
Back to top
jholland1964
Thu Aug 10 2006, 11:57PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Got it that time! Hey, give me the web page address again.
Back to top
dreamr
Thu Aug 10 2006, 11:59PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
http://www.hexrpg.com
Back to top
jholland1964
Fri Aug 11 2006, 12:09AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Well, had no trouble accessing with both Firefox or Internet Explorer. Your computer is clean, your java is updated, kind of makes me think it has to do with your out of date Internet Explorer.

Also, what are your security settings on your IE? Go to Tools, Internet Options, Security, Restricted Sites and be sure you have not accidently placed this site on your Restricted sites.

You might try Firefox, I love it, have used it about 18 months. It is a much more secure browser than IE. But it is up to you.
Either way, you should definitely update the IE.
Back to top
dreamr
Fri Aug 11 2006, 12:15AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Well, I updated the IE the other day when you mentioned that...so when I go to "Help" and "About Internet Explorer," it says:

Version: 6.0.2800.1106.xpsp2.030422-1633
Cipher Strength: 128-bit


...And I have both IE and Firefox and I've tried them both and I get an error on both.

Firefox says:

Unable to connect

Firefox can't establish a connection to the server at www.hexrpg.com.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

---

...and the security is set to 'custom' and HEX isn't in the restricted sites.

*Cries*

[ Edited Fri Aug 11 2006, 12:19AM ]
Back to top
jholland1964
Fri Aug 11 2006, 12:25AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Your Internet Explorer has NOT been updated. That is still the version showing in your very first log. The correct version is 6.0.2900.2180

Are you running a firewall? None shows in your HJT log. If you are running the built in Windows Firewall try turning it off and see if you can access the site.

Do you run SpywareBlaster? If so is your website listed in their Restricted Website section? If so remove the checkmark.

[ Edited Fri Aug 11 2006, 12:28AM ]
Back to top
dreamr
Fri Aug 11 2006, 12:31AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Hmmm...well, I tried. lol

I guess I can try again...but *sigh*...seriously. HEX is like the site I go to the most. I've been dying the last few days not being able to go. I wish I knew what could be causing me (and several others) to not be able to access it.

...where would I go to update it? All I see on the Microsoft page is Beta 7, which is the one you said not to download. And IE 6...

No, I don't run SpywareBlaster and I don't know where the firewall thing is.

I hadn't changed anything in any of my settings from the last time I was able to get on HEX until it stopped working. The server went down (or so I thought) and never came back up for me. Yet, it seems almost everyone else (save a few other people who are also having the same problem) can access the site fine. *Sigh*

[ Edited Fri Aug 11 2006, 12:34AM ]
Back to top
ShadowPuterDude
Fri Aug 11 2006, 12:32AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
You must install SP2 for Windows XP, in order to update Internet Explorer 6.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
jholland1964
Fri Aug 11 2006, 12:37AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
SPD, why do you think she cannot access this site? Computer is clean. Even without updating IE this website states it is best viewed with Firefox...she has Firefox, still can't access it but could before...
Back to top
dreamr
Fri Aug 11 2006, 12:48AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
We have asked the admin of the site if it's possible that we were somehow blocked and we've been told that they have looked at the blocked IPs and that we haven't been. But I don't know what else it could be and it's really, really frustrating. 'Cause like I said, HEX is my favorite site and I haven't been able to get on it in nearly 4 days now.

----

After ALL of this...I think it IS that my IP was somehow blocked (along with the IPs of several other members). But when I was on the site at work the other day, I mentioned that it almost seemed as if our IPs had been blocked and one of the mods said that they had looked in the blocked list and that our IPs weren't listed. But I just tried one of those "anonymous proxy" sites and got straight onto HEX. It wouldn't let me login, though...'cause the proxy I used only allows you to VIEW websites. But the fact that I can access HEX through a proxy means that my IP *IS* blocked, right??

[ Edited Fri Aug 11 2006, 02:26AM ]
Back to top
jholland1964
Fri Aug 11 2006, 08:41AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Have you checked with YOUR Isp to see if they are blocking the website?

Now please don't be insulted, because I certainly don't mean this in an insulting manner, I know this is a Harry Potter website you are trying to access.
Do you share this computer with anyone else?
I ask this because of the Omnipass software you were unaware of, this is a software which manages passwords on the computer. A very legal software, not a threat and it would have had to have been installed by somebody. Perhaps another user of the computer.
If there is another user of the computer this other user could also have blocked this website with blocking software.

To check the Windows Firewall do this;
Disable Windows Firewall

1. Click Start,
2. Control Panel,
3. double–click Network Connections,
4. right-click the desired connection,
5. Properties,
6. Advanced tab,
7. Under Internet Connection Firewall,
8. uncheck the "Protect my computer and network by limiting or preventing access to this computer from the Internet" check box.

You can also try adding this website to Trusted Sites in the Security Section of Internet Explorer and see if that helps;
Tools, Internet Options, Security, Highlight Trusted Sites
Then click the Sites Button
Add http://www.hexrpg.com
Click OK

[ Edited Fri Aug 11 2006, 09:52AM ]
Back to top
dreamr
Fri Aug 11 2006, 10:17AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Well, like I mentioned earlier, there are other members who are having the same exact problems that I am having and at least one other has the Vundo Trojan on her computer now. We're wondering if it's possible that the server has a virus and has somehow given us viruses and blocked our IPs. There are at least 4 other people that I know of who have been 'blocked' from the website. And none of us are on the same ISP.

And nope, no one else uses this computer. And I tried both of those things yesterday after you mentioned them. And the firewall wasn't enabled and I added HEX to the safe sites.

AND we use the same ISP at my job that I use here at home and I can access the site at work, but not at home.

Btw, my ISP is Comporium.net and this girl that I'm talking to now (who is also having to access the site through a proxy) is on Earthlink.

Oh, and about the OmniPass, I'm pretty sure that was on my computer when I first bought it. I had looked into deleting it before, but some website that I was reading suggesting not deleting it (or had said it wasn't a risk or whatever). So I just left it alone. But I've never used it. (Yep, just did a google and it seems that OmniPass comes preloaded on Presarios...)

[ Edited Fri Aug 11 2006, 11:16AM ]
Back to top
jholland1964
Fri Aug 11 2006, 11:29AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
dreamr wrote ...

AND we use the same ISP at my job that I use here at home and I can access the site at work, but not at home.

Ok, then the problem must be with YOUR computer. If it was blocking the ISP then you shouldn't be able to access via your work computer either. At least I don't think so anyway.
Try this program. Belarc Advisor
It is free, download it from here; http://www.belarc.com/free_download.html
It will scan your computer and tell us everything about your computer. Software installed, updates done, updates not done...at least this will give me a place to start.
Attach the log here and we will see what we will see.
Thanks for that info about Omnipass...I will file that away for future reference.
Back to top
dreamr
Fri Aug 11 2006, 12:31PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Well, I'm just seeing this post, so it'll have to wait until I get back home, unfortunately. But more and more people are being blocked from the site. So I really don't think it's my computer. I think there's something going on with their server. It's like it's picking people to block each day for some reason.

The admins have finally taken notice, though, and are looking into the problem.

But I didn't mean it was blocking my ISP. Just my IP number...from my internet connection.

[ Edited Fri Aug 11 2006, 12:33PM ]
Back to top
jholland1964
Fri Aug 11 2006, 01:47PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
If the admins are looking into the problem then they are admitting that THEY are the problem and there really is nothing you can do to access the site from home until they solve it.
Back to top
ShadowPuterDude
Fri Aug 11 2006, 05:24PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
The problem may be on the other end. If you had Vundo, then there is a high propability that portions of it are hanging around your computer. Vundo has been difficult to fully remove lately using the standard removal tools.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
jholland1964
Fri Aug 11 2006, 06:06PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Glad you jumped in here ShadowPuterDude. WPFind is not something I am used to yet. I had some PM's with instructions on reading the logs from PP over at IANAG but we all know where those went.
Back to top
dreamr
Fri Aug 11 2006, 08:40PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok, here ya go.

Btw, since I'm not too familiar with Mozilla Firefox, are there any settings that I should be aware of to protect my comp from like pop-ups and such?


1155343254_17_FT327_winpfind.txt

[ Edited Fri Aug 11 2006, 08:44PM ]
Back to top
ShadowPuterDude
Fri Aug 11 2006, 10:47PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
You are using MSCONFIG to prevent several items from running at System start. MSCONFIG is not used for this purpose it is a diagnostic tool. Enable everything you used MSCONFIG to disable. Reboot and post a fresh HijackThis log. If you recieve error mesages at system start related to these items we can correct that without using MSCONFIG.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Fri Aug 11 2006, 10:58PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Oh, ok. Well, a while back when I was having trouble, that was what I was told to do. To go into msconfig and disable them. lol

But I'll do that now. BRB.
Back to top
dreamr
Fri Aug 11 2006, 11:05PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Here ya go...
1155351937_17_FT327_hijackthis811061.txt
Back to top
ShadowPuterDude
Fri Aug 11 2006, 11:20PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
HijackThis is not installed in a preferred location. Right-click on Move_HijackThis.vbs and save to your desktop. Double-click on Move_HijackThis.vbs and if prompted to allow then answer 'Yes'. This will move HijackThis to C:\Program Files\HJT. The reason for this is to allow for the proper creation of the HijackThis backup folder.

Once HijackThis has been moved; open Windows Explorer and navigate to C:\Program Files\HJT rename hijackthis.exe to analyse.exe. This will prevent Vundo from hiding itself from HijackThis.

Post a fresh HijackThis log

[ Edited Fri Aug 11 2006, 11:46PM ]

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Fri Aug 11 2006, 11:31PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
It's not letting me download it. It says "site was not found."

Nevermind, I changed the url around and it worked.

[ Edited Fri Aug 11 2006, 11:36PM ]
Back to top
dreamr
Fri Aug 11 2006, 11:43PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Done. Here ya go...


1155354190_17_FT327_hijackthis81120061.txt
Back to top
ShadowPuterDude
Sat Aug 12 2006, 09:24AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
Download
- Pocket Killbox

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - Startup: American Idol Insider.lnk = C:\Program Files\Arcavista\American Idol Insider\PComAmericanIdol.exe
O4 - Startup: Kelly Clarkson Connection.lnk = C:\Program Files\Arcavista\KC Connection\PComKellyClarkson.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O15 - Trusted Zone: <a href="http://www.hexrpg.com" rel="external">http://www.hexrpg.com</a>
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - <a href="http://www.popcap.com/games/popcaploader_v6.cab" rel="external">http://www.popcap.com/games/popcaploader_v6.cab</a>

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:
  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Program Files\Media Access\MediaAccK.exe
    c:\program files\altnet\points manager\points manager.exe
    C:\Program Files\Arcavista\American Idol Insider\PComAmericanIdol.exe
    C:\Program Files\Arcavista\KC Connection\PComKellyClarkson.exe
    C:\Paltalk\pnetaware.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)
C:\Program Files\Media Access <<=== Delete the Folder
c:\program files\altnet <<=== Delete the Folder
C:\Program Files\Arcavista <<=== Delete the Folder
C:\Paltalk <<=== Delete the Folder
C:\WINDOWS\System32\P2P Networking <<=== Delete the File
Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr