My machine is plagued

[paguro7]

Hi there,

I'm new here. I finally decided to take care of my computer, which seems to be a playground for adware and spyware, after I realized they might be tracking my passwords.

I do not have an updated version of windows xp, but i am planning to update it with the security pack 2 once i've cleaned the computer.

PROBLEMS: I have Errorsafe, Winantiviruspro, Bet365, Broadcaster, and many other ads popping up (mostly on IE, but also on firefox) any time i'm connected.

WHAT I'VE TRIED: I've tried disabling IE with a dummy connection, but to no avail. I run spybot and AVG free daily. I've also tried running spybot on safe mode, but that didn't seem to solve anything.

PLAN: I am currently following the steps indicated by this (http://forums.spybot.info/showthread.php?t=288) thread. Once I have an online scan log i will post it, then run spybot in safe mode, then post the HJT log.

I would be grateful to any kind soul willing to look at my online virus scan and HJT logs and tell me what to do.
Best,
David

[paguro7]

I just ran the etrust virus scan, here is the log. it will not clean any of the 27 viruses it found. My next step will be running updated spybot in safe mode.

sorry, the results are in italian. "impossibile pulire" means "impossible to clean" text in parentheses is my translation.

David

--------------
Risultati dell'analisi: 26023 Analisi dei file effettuata. 27 Rilevati virus
(Results of the analysis: 26023 files analyzed. Found 27 viruses)


File Infezione Stato Percorso
(File Infection Status Location)

cr_obj[1].htm JS/MS06-014!exploit impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\ALIT0H4Z\
drf1171194130[1].htm Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\NT95S4GA\
drf1171194130[1].htm.exe Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\NT95S4GA\
drf1171539225[1].htm Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\OHEBCDQF\
drf1171539225[1].htm.exe Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\OHEBCDQF\
drf1171448891[1].htm Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\W37FM8P9\
drf1171448891[1].htm.exe Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\W37FM8P9\
drf1171544367[1].htm Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\X0J6FJPZ\
drf1171544367[1].htm.exe Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\X0J6FJPZ\
drf1171123964[1].htm Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\YZ23UDQJ\
drf1171123964[1].htm.exe Win32/Papiex!generic impossibile pulire C:\Documents and Settings\Giuseppe\Impostazioni locali\Temporary Internet Files\Content.IE5\YZ23UDQJ\
VSAdd-in.dll Win32/Reastop.A impossibile pulire C:\Programmi\VSAdd-in\
VSAdd-in_1.dll Win32/Reastop.A impossibile pulire C:\Programmi\VSAdd-in\
frfxrimk.dll Win32/Vundo.BU impossibile pulire C:\WINDOWS\system32\
fthbqqjj.dll Win32/Vundo.BY impossibile pulire C:\WINDOWS\system32\
fuaokryc.dll Win32/Vundo.BY impossibile pulire C:\WINDOWS\system32\
gmwyjwpm.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
hhyfukmp.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
jiuphdok.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
lfipclod.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
noyxgbji.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
pdfwyrce.dll Win32/Vundo.BU impossibile pulire C:\WINDOWS\system32\
sbxiftmh.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
tayqyyor.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
vgwjeady.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
vkulefhr.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\
xbmlxdlo.exe Win32/Reastop.A impossibile pulire C:\WINDOWS\system32\

[paguro7]

While etrust could not fix the problems, it succeeded in deleting 26/27 of them. The only one that could not be deleted was

VSAdd-in.dll Win32/Reastop.A impossibile eliminare C:\Programmi\VSAdd-in\

next step: spybot in safe mode

[Mr_JAk3]

Hi paguro7 and welcome to the Forums

You're infected.

Please post a HijackThis log to here:

• Click here to download HijackThis.exe
• Save HijackThis.exe to your desktop.
• Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
• Run HijackThis.exe
• Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
• Click Save to save the log file and then the log will open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[paguro7]

Hi Mr_JAk3, thanks for the welcome.

I've run spybot on safemode, and here is the HJT log. Hope it's not looking too awful.
Best,
David


------------

Logfile of HijackThis v1.99.1
Scan saved at 23.29.42, on 01/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Giuseppe\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Programmi\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\sysmon.exe
O4 - HKLM\..\Run: [Windows Config System] config.exe
O4 - HKLM\..\Run: [Microsft Security Monitor Process] cmh.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\frfxrimk.dll",setvm
O4 - HKLM\..\RunServices: [Windows Config System] config.exe
O4 - HKLM\..\RunServices: [Microsft Security Monitor Process] cmh.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: frujgmom.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169220092665
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170027889174
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{679DC7C3-4320-4FCF-8639-6988512B9389}: NameServer = 85.37.17.12 85.38.28.79
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Giuseppe\IMPOST~1\Temp\hpdj.exe
O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINDOWS\system\mside.exe (file missing)

[Mr_JAk3]

Hi again

Hope it's not looking too awful

Well to be honest, it is. You have a nice malware connection there

I must warn that one or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post

[paguro7]

Hi MrJAk3,

thanks so much for your help. That's really bad news. I will take all the steps needed to avoid any future problems, and probably format the computer (and buy a new one, luckily this is an old computer i don't mind throwing awat). My main worry is ID stealing and bank info. But i'll have to worry about that. thanks again,
David

[Mr_JAk3]

Hi again

Formatting is the best option. You don't have to throw the computer away, formatting is enough.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

Reformatting Windows XP by wng_z3r0
When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...

• Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).
  
  These are good (free) firewalls:
  - Kerio
  - Sygate
  - Outpost
  
  These are good (free) antiviruses:
  - Antivir
  - Avast
  - AVG
  
• Get all Windows updates installed!

Please ask me if you have any questions

Then here are a few things that you can do in order to make your fresh computer more secure:

• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use Ewido
  Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster, safer and better browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly.
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with your antivirus.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?

[paguro7]

Hi there,
Yes, I am thinking of formatting and installing linux. seems safer, easier and all. I will read all of this. Thanks a lot for all your help, i really appreciate it. Best,
David

[Mr_JAk3]

That's great news and you're very welcome

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help