Need Help

Samuel4u · Post by **Samuel4u** » Mon Apr 21, 2008 3:14 am

Hi,

My computer background has turned into a red nucler hazard sign after some trojens and worms came into my system. i am using virgin broadband firewall and anti virus but it doesnt seem to be working. i did scan the computer and delete the worms but the background still hasnt changed and know it wont allow me to conect to the internet. can anyone help.

Thanks in Advance.

YARDofSTUF · Post by **YARDofSTUF** » Mon Apr 21, 2008 4:50 am

Sounds like smitfraud and maybe some others.

mnosteele52 · Post by **mnosteele52** » Mon Apr 21, 2008 8:06 am

If you think your computer has been compromised by malware then please follow these instructions for proper cleanup.

1. Disable System Restore then reboot your pc, this will delete all old restore points.

2. Download and run CrapCleaner, this will clean out all of your temporary and junk files.

3. Unless you are using Kaspersky, NOD32, BitDefender or Avira AntiVir uninstall your current antivirus program and install Avira AntiVir Personal Antivirus (it's free) and do a full system scan. Make sure you enable the option to scan for extended threat catagories (configuration - general - extended threat catagories - select all).

4. Download, update and do a full system scan with SpyBot Search & Destroy and remove all that it finds.

5. Download, update and do a full system scan with Ad-Aware 2007 and remove all that it finds.

6. Download, update and do a full system scan with SUPERAntiSpyware and remove all that it finds.

7. Download, update and do a full system scan with AVG Anti-Spyware and remove all that it finds.

8. Download and run AutoRuns and see if there is anything suspicious. You have to know what you are looking for but it is an invaluable tool, it is kind of like HijackThis on steriods.

9. Download, update and do a full system scan with Windows Defender and remove all that it finds, also enable it's HIPS protection, open the main interface - tools - options - real time protection options - check both "software that has not yet been classified for risks" and "changes made to your computer by software that is permitted to run"..

10. Download and do a scan with HijackThis and post the results here in the forums so I can assist you.

11. Download and update SpywareBlaster to help stay malware free.

12. Use ZonedOut to help prevent future infections.

13. Do ALL of the latest Windows Updates to ensure your OS is patched properly.

YARDofSTUF · Post by **YARDofSTUF** » Mon Apr 21, 2008 10:57 am

14. http://www.bleepingcomputer.com/forums/topic17258.html

Brave_heart · Post by **Brave_heart** » Wed Apr 23, 2008 10:44 am

mnosteele52 wrote: If you think your computer has been compromised by malware then please follow these instructions for proper cleanup.

1. Disable System Restore then reboot your pc, this will delete all old restore points.

2. Download and run CrapCleaner, this will clean out all of your temporary and junk files.

3. Unless you are using Kaspersky, NOD32, BitDefender or Avira AntiVir uninstall your current antivirus program and install Avira AntiVir Personal Antivirus (it's free) and do a full system scan. Make sure you enable the option to scan for extended threat catagories (configuration - general - extended threat catagories - select all).

4. Download, update and do a full system scan with SpyBot Search & Destroy and remove all that it finds.

5. Download, update and do a full system scan with Ad-Aware 2007 and remove all that it finds.

6. Download, update and do a full system scan with SUPERAntiSpyware and remove all that it finds.

7. Download, update and do a full system scan with AVG Anti-Spyware and remove all that it finds.

8. Download and run AutoRuns and see if there is anything suspicious. You have to know what you are looking for but it is an invaluable tool, it is kind of like HijackThis on steriods.

9. Download, update and do a full system scan with Windows Defender and remove all that it finds, also enable it's HIPS protection, open the main interface - tools - options - real time protection options - check both "software that has not yet been classified for risks" and "changes made to your computer by software that is permitted to run"..

10. Download and do a scan with HijackThis and post the results here in the forums so I can assist you.

11. Download and update SpywareBlaster to help stay malware free.

12. Use ZonedOut to help prevent future infections.

13. Do ALL of the latest Windows Updates to ensure your OS is patched properly.

my comp got hacked and i was directed to this thread to follow your guide...so i am on step 2, what are the settings that i should run crap cleaner at? theres all of these little things to check, can someone tell me which ones to check? thanks.

Brave_heart · Post by **Brave_heart** » Wed Apr 23, 2008 7:09 pm

new problem: what am i looking for in autorun?

YARDofSTUF · Post by **YARDofSTUF** » Wed Apr 23, 2008 7:39 pm

If you're not familiar with autrun just skip that, the hijackthis log posted here should do.

Brave_heart · Post by **Brave_heart** » Wed Apr 23, 2008 7:42 pm

YARDofSTUF wrote:If you're not familiar with autrun just skip that, the hijackthis log posted here should do.

i was thinking that, thanks for the info.

here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:13 PM, on 4/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files (x86)\EasyCal -- 1\ZSMVGDP.EXE
C:\Program Files (x86)\Xfire\xfire.exe
C:\Program Files (x86)\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files (x86)\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files (x86)\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6706 bytes

P.S. Adaware and AVG did not work, i was told to not worry about autoruns and windows defender does not work...will it have the desired result? and should i have rebooted before doing the highjackthis scan?