Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Kid's computer got infected.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Kid's computer got infected.

Hello,

My kid's machine seems to be acting up. It shuts off mid operation, sometimes, the monitor blanks out but the machine seems to continue running.

I installed MPK keylogger to monitor his activity on the computer. I'm wondering if that was the mistake or if something he has installed was infected. He is already a limited user, is there a way to prevent him from downloading or installing anything?

The HJT log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:20 AM, on 9/10/2008
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MPK\Mpk.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\Monitor\KeyLogger.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKLM\..\Policies\Explorer\Run: [Mpk.exe] C:\WINDOWS\system32\MPK\Mpk.exe
O4 - HKUS\S-1-5-21-1547161642-688789844-1343024091-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Kids')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FFA018E-92F4-465B-B264-DE54A0726949}: NameServer = 64.233.222.2,64.233.222.7
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7244 bytes
Carlo Gambino
Regular Member

Posts: 113
Joined: August 24th, 2008, 3:13 am
Location: Ohio, USA
Register to Remove

Re: Kid's computer got infected.

Is this a different a different computer than the one in this thread?

viewtopic.php?f=11&t=34077

I do not see an antivirus program at all nor do I see a firewall.

Step 1

A Firewall is an essential part of computer security and you do not appear to have a third party software firewall running on your system. If you have one, and I missed it, please ignore this. If you are relying on the firewall that comes with Service Pack 2, then you need to install a third party software firewall. While the SP2 firewall is better than nothing, it does not monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will. There are several firewalls that provide better protection than the Windows SP2 firewall. Follow these steps to turn off/disable the Windows Firewall before installing a new firewall:
2. Disconnect from the Internet.
3. Click Start > Control Panel.
4. Switch to Classic View if you have not already done so.
5. Double click on the Windows Firewall icon.
6. Click Off (Not recommended).
7. Install the new Firewall.
Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.

Step2

There are a few firewalls available for free that appear to be good and easy to use:For more information about firewalls, and why a two-way firewall is better than the Windows XP one-way firewall, please read Understanding and Using Firewalls.

An antivirus program is an essential part of computer security and you do not appear to have one running on your system. There are a few available for free that have excellent reputations.

AVG 8 Anti-Virus Free Edition

AntiVir Personal

Avast! 4 Home Edition
If needed, see How to Install, Configure, and Use Avast Antivirus

Step 3

Please post a new HijackThis log.

suebaby41
MRU Master

Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Kid's computer got infected.

I installed MPK keylogger to monitor his activity on the computer. I'm wondering if that was the mistake or if something he has installed was infected. He is already a limited user, is there a way to prevent him from downloading or installing anything?

I found several programs that should do what you want to do. I found one site that has two or more FREE programs you may like.

Crawler Parental Control or Net Purity License: Freeware

Install-Block Shareware $19.95 Folder Guard$39.95

Stop Software Installation Tool 2.2.2.2 Shareware \$18.95

Trust-no-exe Could not find price.

suebaby41
MRU Master

Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Kid's computer got infected.

Thank you for your response, I will be taking the recommended steps today.

Yes, this is a different machine than the previous thread. I was able to resolve the issue from the other thread. I also had some family issues that caused me to be unavailable so that thread was closed, but all issues with that machine are resolved.

I will post again when I have a new HijackThis log.
Carlo Gambino
Regular Member

Posts: 113
Joined: August 24th, 2008, 3:13 am
Location: Ohio, USA

Re: Kid's computer got infected.

Ok well, Let's see if we did this right the first time.

I installed Agnitum Outpost as the firewall and stuck with AVG for the Anti-Virus. Installed, updated, scanned, and resolved the infections found. MPK keylogger shows up as a threat, I'm wondering if I need to remove that or if it is safe to leave installed to monitor the activity.

I also tried to install the free parental control program options you suggested: Crawler Parental Control or Net Purity. Parental Control did not agree with my PC as it slowed to a halt after installed. Once I removed it, all was well again. I attempted to install NetPurity, but the site was unavailable and I couldn't find a way to download it.

Now that we've recovered, here is the new HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:11 PM, on 9/10/2008
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\BaTMaN\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\Monitor\KeyLogger.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKLM\..\Policies\Explorer\Run: [Mpk.exe] C:\WINDOWS\system32\MPK\Mpk.exe
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FFA018E-92F4-465B-B264-DE54A0726949}: NameServer = 64.233.222.2,64.233.222.7
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8305 bytes
Carlo Gambino
Regular Member

Posts: 113
Joined: August 24th, 2008, 3:13 am
Location: Ohio, USA

Re: Kid's computer got infected.

The HijackThis log entry below indicates that you have PalTalk.

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

PalTalk is supported by advertising. PalTalk may not be harmful to have on your computer, but it will serve various types of advertising. PalTalk is considered ADWARE! I recommend uninstalling PalTalk. To uninstall PalTalk.
1. Click Start > Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight PalTalk, click Remove.
4. Close the Add or Remove Programs and the Control Panel windows.
5. Using Windows Explorer (Windows key+e), search for the PalTalk folder. If the program folder is still there, select/highlight the PalTalk folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
6. Close Windows Explorer.
7. There is a Video showing how to uninstall a program (Grinler) detailing how to add or remove program in Windows for those who find a visual aid appealing.
Use an alternative instant messenger program:.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN).

suebaby41
MRU Master

Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Kid's computer got infected.

2. Double click SDFix.exe and it will extract the files to C:\SDFix.
3. Please reboot your computer in Safe Mode by doing the following :
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Select the first option, to run Windows in Safe Mode, then press Enter.
4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
5. Type Y to begin the cleanup process.
6. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
7. When your computer restarts, the Fixtool will run again to complete the removal process.
8. When Finished is displayed, press any key to end the script and load your desktop icons.
9. After the desktop icons load, the SDFix report will open on screen and save into the SDFix folder as Report.txt. Report.txt will also be copied to Clipboard.
11. If needed, see SDFix ReadMe

suebaby41
MRU Master

Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Kid's computer got infected.

Ok so I tried to uninstall PalTalk and it seems to have already been done. I did delete the folde in C:\Program Files, just to be safe.

I also installed and ran SDFix. It seems to have gone well, but PalTalk is still showing up. Here is Report.txt:

SDFix: Version 1.223
Run by BaTMaN on Thu 09/11/2008 at 05:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 18:05:48
Windows 5.1.2600 Service Pack 2, v.2149 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"="C:\\Program Files\\SHOUTcast\\sc_serv.exe:*:Enabled:sc_serv"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Enabled:Paltalk 9.0"
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"="C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe:*:Enabled:Zoo Tycoon 2 Executable"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Documents and Settings\\BaTMaN\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\BaTMaN\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

Files with Hidden Attributes :

Fri 11 Jan 2008 3,302,728 ...H. --- "C:\Program Files\Cake Mania 2\CakeMania2.exe"
Wed 10 Sep 2008 72 A..H. --- "C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys"
Tue 26 Aug 2008 27 ...H. --- "C:\Documents and Settings\Kids\Local Settings\Temp\WL_2.0.3 Downloader.tmp"
Tue 22 Jul 2008 827,056 A..H. --- "C:\Documents and Settings\BaTMaN\Application Data\mjusbsp\ar00000\install.exe"
Tue 22 Jul 2008 7,370,912 A..H. --- "C:\Documents and Settings\BaTMaN\Application Data\mjusbsp\in00000\setup.exe"
Tue 22 Jul 2008 827,056 A..H. --- "C:\Documents and Settings\BaTMaN\Application Data\mjusbsp\Upgrade\install2.exe"
Tue 22 Jul 2008 7,370,912 A..H. --- "C:\Documents and Settings\BaTMaN\Application Data\mjusbsp\Upgrade\setup2.exe"
Tue 22 Jul 2008 827,056 A..H. --- "C:\Documents and Settings\Kids\Application Data\mjusbsp\ar00000\install.exe"
Tue 22 Jul 2008 7,370,912 A..H. --- "C:\Documents and Settings\Kids\Application Data\mjusbsp\in00000\setup.exe"
Tue 22 Jul 2008 827,056 A..H. --- "C:\Documents and Settings\Kids\Application Data\mjusbsp\Upgrade\install2.exe"
Tue 22 Jul 2008 7,370,912 A..H. --- "C:\Documents and Settings\Kids\Application Data\mjusbsp\Upgrade\setup2.exe"

Finished!
Carlo Gambino
Regular Member

Posts: 113
Joined: August 24th, 2008, 3:13 am
Location: Ohio, USA

Re: Kid's computer got infected.

O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\Monitor\KeyLogger.exe

Monitors keystrokes so you can check if someonehas typed anything while you are away from your computer. Reported as spyware by SpyCop in their FAQ.

You may want to consider purchasing one of the shareware parental controls since you could not get the free ones to download.

suebaby41
MRU Master

Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Kid's computer got infected.

I downloaded HKL for use to monitor the kid's activity on this machine, and it has served well so far. Is it a requirement that I remove it? Are there any other suggestions you have before we consider this machine to be clean?

I will consider purchasing a monitoring tool, thanks for the help and advice. I am looking forward to being able to take the steps required to help others in similar situations.
Carlo Gambino
Regular Member

Posts: 113
Joined: August 24th, 2008, 3:13 am
Location: Ohio, USA

Re: Kid's computer got infected.

I am afraid I have unpleasant news for you. You have a Very Dangerous infection on this computer.

One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

This is the standard warning for cases such as yours.

You are strongly advised to do the following immediately.

1. Disconnect infected computer from the Internet and from any networked computers until the computer can be cleaned.
2. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
4. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
These trojans leave a backdoor open on the system that can allow hacker total and complete access to your computer. (Remote access trojan) Hacker can operate your computer just as if he was sitting in front of it. They can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

Depending on a few things, like if you always had a firewall; if you are using a router with Hardware firewall, etc. the chances the backdoor was used will be reduced. However, if firewall was installed after the attack, chances are that they did use it.

In your first log, I saw no sign of either an antivirus or a firewall in your log. Chances are that this system is seriously compromised.

If it were my computer and I just discovered this type of trojan, I would be backing up my important stuff and re-installing everything from scratch. Though the Trojan has been identified and can be killed, because of its backdoor functionality, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the operating system. There are so many changes that could have been done if that backdoor was used.

We may be able to clean the infected files off the computer, and if you wish, we will attempt to do so, but we cannot be sure that the infection did not do something to your system to reduce the system security.  In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you reconnect to the Internet.

The Decision whether to reformat or Not should be based on:

• The use of the computer - this is the primary factor in the decision whether to reformat and reinstall, or just disinfect.
• The variety of malware - this influences the decision on whether to reformat and reinstall, or just disinfect. IN THIS CASE we have a rootkit as well as a backdoor trojan, the worst kinds.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the Internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be reinstalled from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being, call your banks, credit card companies, and financial institutions to inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email,  banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

What is a backdoor or remote access trojan?
Danger: Remote Access Trojans

Consumers – Identity Theft

When should I re-format? How should I reinstall?

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Rootkits: The Obscure Hacker Attack

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

Microsoft Says Recovery from Malware Becoming Impossible

Reformatting Windows XP by wng_z3r0

Windows XP Clean install

If you do decide to format/re-install and need some help, let me know.

However, if you do not have the resources to reformat your computer and reinstall your operating system and programs and would like me to attempt to clean it, I will be happy to do so.

Please let us know what you have decided to do in your next post.

suebaby41
MRU Master

Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Kid's computer got infected.

Well that is terrible news!

can you tell me what leads you to believe this infection is so serious? Do I need to format all the machines on my network?

I will disconnect the infected machine immediately. I will wait for your reply to this post before I format the machine, but that is my intention at this point.

If you tell me the whole network is compromised, I will want to attempt to kill the trojan rather than reinstall on 3 machines. If it's possible to get away with just the one, then it's worth the time invested to reformat and be done with it.

Now that I've learned not to be lazy (or cheap) with AV and FW software, I suppose it is a lesson worth learning. I will wait to cleanse the system before I change any of my information but I will be keeping a close eye on it. Thanks for the prompt response. I guess I'm relying on your knowledge here before I continue. In the past I had Norton Internet Security in the past, but the license expired and I just let it go.

Again, if you think I can just format the infected machine and be good, I'll do that. If it's the whole network, I would like to try to disinfect (even though I'll likely format afterwards anyway). I will do whatever you recommend to get a clean bill of health from this site.

This has been great motivation for me to join this community and fight the good fight- I will do whatever I can to contribute starting with joining MWR University as soon as I'm clean.
Carlo Gambino
Regular Member

Posts: 113
Joined: August 24th, 2008, 3:13 am
Location: Ohio, USA

Re: Kid's computer got infected.

The following entries indicate several bad Trojans, Worms, and Rootkits.

O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')

Summary of Infections: (For more information, click on the name of the infection.)

1. SDBOT Worm may affect your network. The worm connects to an IRC channel and server and waits for instructions. Adds a lockx.exe rootkit that connects to an IRC server, awaiting remote commands from an attacker. Rootkits may be used by an intruder after cracking a computer system and often hides logins, processes, files, and logs. It may include software to intercept data from terminals, network connections, and the keyboardA remote attacker can use the trojan to perform various tasks:
1. Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
2. Run IRC commands (Join channels, send messages)
3. SYN Flood others
4. Kill processes
6. Execute files
2. DELF-UX Trojan The Trojan logs keypresses to a file named itime.txt in the Windows temp folder. Troj/Delf-UX may also post data to a remote site.
3. Variant of Rootkit.Win32.Agent.uj A Rootkit is software that cloaks the presence of files and data to evade detection, while allowing an attacker to take control of the machine without the user's knowledge. Rootkits are typically used by malware including viruses, spyware, trojans, and backdoors, to conceal themselves from the user as well as from malware detection software such as anti-virus and anti-spyware applications. Rootkits are also used by some adware applications and DRM (Digital Rights Management) programs to thwart the removal of that unwanted software by users. Are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
4. Troj/IRCBot-ZL Troj/IRCBot-ZL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
I know you probably do not want to hear this, but if this were my network, I would back up files and reformat the three computers on your network. For instructions on reformatting, see Reinstalling WIndows XP Home.

We may be able to clean the infected files off the computer, and if you wish, we will attempt to do so, but we cannot be sure that the infection did not do something to your system to reduce the system security.  In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you reconnect to the Internet.

suebaby41
MRU Master

Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Kid's computer got infected.

Thanks again for the information.

While this is not what I wanted to hear, I was prepared for the worst. It serves me right- I knew the AV and Firewall were a big issue and I just got so spoiled being on Linux all the time, that I just let it fall be the wayside.

I am preparing now to format all three machines. There are no files that I can't backup and considering the severity of the issue, I just want to resolve it and get back online! I should be able to reformat and reinstall on my own- I did it regularly when I was on windows all the time. I will be installing AVG and will be considering firewall options. While the freeware might work, I think this lesson has taught me that I should quit being cheap when it comes to technology.

Any suggestions you might have that would be helpful in preventing this in the future would be greatly appreciated. I have some family obligations this weekend so it will be sometime Sunday before I can post back after the reinstall. Please let me know if there are any other instructions you have for me when I can return.

Signing offline now until fixed.
Carlo Gambino
Regular Member

Posts: 113
Joined: August 24th, 2008, 3:13 am
Location: Ohio, USA

Re: Kid's computer got infected.

If you have a flash drive, I recommend that you download the firewall and antivirus program of your choice to the flash drive. I keep the Avast4! and Comodo Firewall Pro on my flash drive so they can be installed on my hard drive without having to get on the Internet to download them.

The best antivirus and firewall programs are actually the free ones. If I were you, I would not pay for them. Usually, they are big, cumbersome programs that do not work as well as the free ones. I use Avast4! for my antivirus program and Comodo Firewall Pro for my firewall.

Any one of the antivirus programs below would do a good job for you.

AVG 8 Anti-Virus Free Edition

AntiVir Personal

Avast! 4 Home Edition
If needed, see How to Install, Configure, and Use Avast Antivirus

There are several firewalls that provide better protection than the Windows firewall. Follow these steps to turn off/disable the Windows Firewall before installing a new firewall:
2. Disconnect from the Internet.
3. Click Start > Control Panel.
4. Switch to Classic View if you have not already done so.
5. Double click on the Windows Firewall icon.
6. Click Off (Not recommended).
7. Install the new Firewall.
Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.

• Avoid inviting the monsters in by clicking on links in instant messages.
• Avoid opening email attachments.
• Avoid visiting every poker site on the net.
• Avoid using the peer-to-peer file sharing.
• Malware (computer viruses, trojans, most rootkits, spyware, dishonest adware, crimeware) is out there just waiting to pounce on your system if you visit their website which may be some seemingly innocent web site. Be careful because some of these monsters are so vicious that no one can possibly save you once you let them in.
• Remember that new bad stuff emerges every day or week of the year. Take responsibility for protecting your system because you are its first and best defense.
Steps To Keep Your Computer Clean And Secure:

1. Establish A New Clean System Restore Point and Clean the Infected System Restore Points. After cleaning, you will need to clean the infected System Restore Points. Files placed in the System volume information folder are source files for the System Restore function that is available in Windows XP operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them.
Step 1
Create a new, clean System Restore point.
• Click on Start > All Programs > Accessories > System Tools > System Restore.
• On the Welcome Page, select Create a restore point. Click Next.
• Give this restore point a descriptive name and click Create.
• When done, click Close.
Note: Do not clear infected System Restore points before creating a new System Restore point!
Step 2
Clear infected System Restore points
• Click on Start > All Programs > Accessories > System Tools > Disk Cleanup.
• Select C drive and click OK.
• Select the More Options tab.
• Under System Restore, click on Clean up....
• You will be prompted. Click Yes.
• When done, click OK.
• You will be prompted again. Press Yes to confirm.
• When done, Disk Cleanup will close automatically.
2. Make your Internet Explorer more secure: This can be done by following these simple instructions:
1. From within Internet Explorer, click on Tools > Options.
2. Click on the Security tab
3. Click on the Internet icon.
4. Click the Custom Level button.
• Change Initialize and script ActiveX controls not marked as safe to Disable
• Change Installation of desktop items to Prompt
• Change Launching programs and files in an IFRAME to Prompt
• Change Navigate sub frames across different domains to Prompt
5. When all these settings have been made, click on the OK button.
6. Press the Yes button to save the settings.
7. Click Apply > OK to exit Internet Properties.
3. Use a Firewall: - Without a firewall, your computer is susceptible to being hacked. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones, see Computer Safety On line - Firewalls. For more information about firewalls, please read Understanding and Using Firewalls.
4. Use An Antivirus Software and Keep It Updated: - It is very important that your computer has an antivirus software running on your machine.  This alone can save you a lot of trouble with malware in the future.  It is imperative that you update your antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software, it will not be able to catch any of the new variants that may come out. For an article on antivirus programs and a listing of some available ones, see Computer Safety On line - Anti-Virus.
5. Visit Microsoft's Windows Update Site Frequently: It is important that you visit Microsoft Windows Update regularly to ensure that your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
6. You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. See the tutorial on Using Spybot - Search & Destroy to remove Spyware from Your Computer .
7. You should scan your computer with Ad-Aware 2008 as well as Spybot S&D and your antivirus program on a regular basis. See the tutorial on installing and using Ad-Aware 2007/2008.
8. Update SpywareBlaster (at least weekly): SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings that will protect you from running and downloading known malicious programs. See this article on anti-malware products with links for this program and others, Computer Safety on line - Anti Malware.
9. Use the hosts file: Every version of windows has a hosts file as part of it. In a very basic sense, they are used to locate web pages. You can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download the mvps hosts file. Make sure you read the Download and Install Instructions for the MVPS HOSTS File. If needed, see the instructions in the Editors Note: in most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs in W2000/XP/Vista. Windows 98 and ME are not affected.
10. Use an alternative instant messenger program:.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN).
11. Please read Tony Klein's excellent article: How I got Infected in the First Place.
13. Please read Simple and easy ways to keep your computer safe and secure on the Internet.
14. If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox browser is much more secure than Internet Explorer and immune to almost all known browser hijackers.
Another good browser is Opera . Opera 9x comes loaded with the tools to keep you productive and safe. It is absolutely free.
15. Update all these programs regularly: Make sure you update all the programs listed regularly. Without regular updates, you WILL NOT be protected when new malicious programs are released.
Good luck!

suebaby41
MRU Master

Posts: 2053
Joined: February 8th, 2005, 7:38 pm
Register to Remove

Next

• Similar Topics
Replies
Views
Last post