|
| ||
| help my computer is being hacked ! I keep getting this " your computer is infected" seems like windows xp keeps bringing this on and doesnt seem to turn off.. ive tried to delete everything through adware and spybot .. but still pops up,, it keeps asking me to install spystrooper and malware to get rid of it but it costs.. also my internet explorer routes to this web address "http://www.systemwarning.com/" where says my private info is collect by Your private info is collected by W32.Sinnaka.A@mm please help me get rid of this heres my hijack log ogfile of HijackThis v1.99.0 Scan saved at 3:23:32 AM, on 12/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\mssearchnet.exe C:\WINDOWS\system32\nvctrl.exe C:\WINDOWS\system32\CTHELPER.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\SpyTrooper\SpyTrooper.exe C:\Program Files\MalwareWipe\MalwareWipe.exe C:\Program Files\MalwareWipe\MalwareWipe.exe C:\Documents and Settings\jc\My Documents\hijackthis\HijackThis.exe O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hpC199.tmp O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing) O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [MalwareWipe] C:\Program Files\MalwareWipe\MalwareWipe.exe /h O4 - HKCU\..\Run: [SpyTrooper] C:\Program Files\SpyTrooper\SpyTrooper.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe |
| ||
| Re: help my computer is being hacked ! 1. Open your Add/Remove Programs control panel and uninstall the MalwareWipe and SpyTrooper "utilities". Please see this page for more information on these and other bogus "anti-spyware utilities". 2. You are running an outdated verision of HijackThis; please download and run the current version (1.99.1) and post a new log from that version. |
| ||
| Re: help my computer is being hacked ! 1 Attachment(s) thanks i will try the above,but my msn page is messed up its routed to this system warnings, looks threating ! check out the jpeg i uploaded,to see if its that threatening,ill post a new hijack log in a bit. thanks |
| ||
| Re: help my computer is being hacked ! ok ive downloaded , spycather and updated my adware 6 to Le and it seem to fix the majority of the nasties..but im still getting re-directed to " systems warnings" as my home page, it was msn somehow its not letting me change it.. and updated my hijackthis heres my hijack log Logfile of HijackThis v1.99.1 Scan saved at 11:39:08 AM, on 12/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvctrl.exe C:\WINDOWS\system32\CTHELPER.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\SpyCatcher 2006\Protector.exe C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\julio\My Documents\hijackthis\HijackThis.exe O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp27D0.tmp O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing) O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe O20 - AppInit_DLLs: interceptor.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe what can i take out in safe mode? |
| ||
| Re: help my computer is being hacked ! pimpwhack, First- uninstall SpyCatcher; it is not a recommended antispyware program. Also, please do not install any other programs during the course of this troubleshoot unless we specifically instruct you to do so. Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Place a shortcut to Panda ActiveScan on your desktop. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Please read Ewido Setup Instructions Install it, and update the definitions to the newest files. Do NOT run a scan yet. Open AdAware and check for/install the most current updates. Don't run a scan yet; just close Adaware after it installs the updates. Next, please reboot your computer in SafeMode by doing the following:
=================================================== O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp27D0.tmp O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h O20 - AppInit_DLLs: interceptor.dll =================================================== Close HiJackThis. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Open Ad-aware and do a full scan. Remove all it finds. Run Ewido:
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut. - Once you are on the Panda site click the Scan your PC button - A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send - Select either Home User or Company - Click the big Scan Now button - If it wants to install an ActiveX component allow it - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) - When download is complete, click on Local Disks to start the scan - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log |
| ||
| Re: help my computer is being hacked ! Hey DMR, :surprised big thanks for the info!... took a while but well worth it . followed through everything step by step and seems like it got rid of all my malware, spyware crap.. 1 thing i could remove during the first step in safe mode was to get rid of this file " O20 - AppInit_DLLs: interceptor.dll " wasnt visible in there.. ok next as in my " System configuration Utility windows" under start-up / command i still that " spyaxe " is check in there, The path reads " C:drive program files /spy axe/ spyaxe exe./ h" .. and my desktop background is blue,, thats jsut easy to change ack to black right? and here are all my logs Panda active scan: Incident Status Location Adware:adware/wintools Not disinfected C:\WINDOWS\system32\TBPS.ini Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~56577.tmp my Ewido log --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 3:37:24 AM, 12/30/2005 + Report-Checksum: C614E673 + Scan result: HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup C:\Documents and Settings\julio\Cookies\julio@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\julio\Cookies\julio@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup C:\Documents and Settings\julio\Cookies\julio@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup C:\Documents and Settings\julio\Start Menu\Programs\WhenU -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\julio\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\julio\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\julio\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Cleaned with backup C:\Program Files\MalwareWipe\MalwareWipe.exe -> Adware.Spyaxe : Cleaned with backup C:\RECYCLER\S-1-5-21-220523388-113007714-854245398-500\Dc1.exe -> Downloader.Zlob.dk : Cleaned with backup C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup ::Report End my SMitfiles: smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Fri 12/30/2005 The current time is: 1:48:34.45 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SpyAxeFix © by noahdfear spyaxe directory present spyaxe uninstaller present Starting spyaxe uninstaller REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Winhound uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Online Security Guide.url Online Security Guide.url Security Troubleshooting.url Security Troubleshooting.url ~~~ Favorites ~~~ Antivirus Test Online.url ~~~ system32 folder ~~~ wbeconm.dll 1024 dir msvol.tlb ld****.tmp mssearchnet.exe ncompat.tlb nvctrl.exe mscornet.exe ~~~ Icons in System32 ~~~ ts.ico ot.ico ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 728 'explorer.exe' Killing PID 728 'explorer.exe' Starting registry repairs Deleting files Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Online Security Guide.url Online Security Guide.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) and last my HIjack log Logfile of HijackThis v1.99.1 Scan saved at 2:40:15 PM, on 12/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\CTHELPER.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Documents and Settings\julio\My Documents\hijackthis\HijackThis.exe O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing) O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Filter: text/html - (no CLSID) - (no file) O18 - Filter: text/plain - (no CLSID) - (no file) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe |
| ||
| Re: help my computer is being hacked ! We're getting closer. 1. Run HJT again and have it fix: O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h O18 - Filter: text/html - (no CLSID) - (no file) O18 - Filter: text/plain - (no CLSID) - (no file) 2. Delete the entire C:\Program Files\SpyAxe folder and then Empty your Recycle Bin. If Windows doesn't allow you to delete the folder, reboot into Safe Mode and delete it from there. 3. Download the smitfraud.reg file by right-clicking on this link and choosing "Save link as..." or "Save target as..." from the resulting pop-up menu. Save the file to your desktop. - Double-click the smitfraud.reg file you saved, and when it asks if you want to merge with the registry, click YES. - Reboot your computer; you should then be able to change your display settings back to normal. |
| All times are GMT -4. The time now is 3:56 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC