Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Fraud Trojan-Spy files found; on the verge of wiping my hd

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 29th, 2008, 1:26 am

Hi John,

Kaspersky scans of the specific directories where there had been findings came out clean (logs below).

Timing has worked out for me to do a full scan of the computer overnight. That's running right now, and at 25% through, has found a few objects. I'll post the results when it's finished.

My posts may be a bit delayed this week, as I'll be spending more time away from my machine.

Have a good day, ;)
~ Annie ~

---------------------------------
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 23:13:17
Records in database: 1526031
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Folder
D:\Outlook Express Data and Settings
Scan statistics
Files scanned 311
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:11:33

No malware has been detected. The scan area is clean.
The selected area was scanned.
-------------------------------------------
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 23:13:17
Records in database: 1526031
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Folder
C:\Documents and Settings\Seagate\My Documents\Backup
Scan statistics
Files scanned 296
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:07:19

No malware has been detected. The scan area is clean.
The selected area was scanned.
--------------------------------------
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 23:13:17
Records in database: 1526031
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Folder
D:\Documents and Settings\All Users\Documents
Scan statistics
Files scanned 1593
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:02:13

No malware has been detected. The scan area is clean.
The selected area was scanned.
---------------------------------------------
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 23:13:17
Records in database: 1526031
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Folder
D:\Backup Files\zzz Archives
Scan statistics
Files scanned 2
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:00:14

No malware has been detected. The scan area is clean.
The selected area was scanned.
--------------------end-------------------
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm
Advertisement
Register to Remove

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 29th, 2008, 9:52 am

Hi Annie,

I looked through Zone Alarm's settings. The only thing that I can tell might be associated is the Firewall Zones area. The only item defined there is my LAN, in the "Trusted" zone. To experiment, I switched it to "Internet" zone, then ran an HJT scan. The O15 lines still showed up, I "fixed" them, ran the scan again, and still there.

I then shut down Zone Alarm, ran an HJT scan, fixed the O15 items, and still no change.

I checked the Internet Options, Security settings GUI throughout that process, and no change - still a blank.

We aren't lucky, are we...

I want to uninstall Zone Alarm anyway. Perhaps it might be worth doing that :?: and then check for/fix the O15 strangeness :?:

ZoneAlarm is very heavy on resources nowadays so I also got rid of it. Here is what I tell to people without Firewall software installed. Could be interesting:
Using a Firewall on your computer can be very important. Without a firewall your computer is susceptible to being hacked and taken over. There are some different situations you can be in where a third-party firewall may or may not be a good addition to your system:
  • If you are not using Windows XP or Vista, but an older version I recommend you to use a firewall.
  • If you are using Windows XP or Vista, but are on dial-up I recommend you to use a firewall.
  • If you are using Windows XP or Vista and are using broadband, but are not experienced in using firewalls and getting the choice to allow or disallow things I recommend you to use Windows Firewall.
  • If you are using Windows XP or Vista, are using broadband and experienced, I recommend you to disable Windows Firewall (as it is not perfect) and get a third-party firewall.

Here are some firewalls which are free for personal use and most used:
Kerio Personal Firewall (Free version after 30 days)
Online Armor Free

Or you could buy their paid version online or in a shop nearby:
Kerio Personal Firewall (Continue paid version after 30 days)
Online Armor or Online Armor AV+ with Anti-Virus included


Kaspersky scans of the specific directories where there had been findings came out clean (logs below).

Feels good, huh.

Timing has worked out for me to do a full scan of the computer overnight. That's running right now, and at 25% through, has found a few objects. I'll post the results when it's finished.

Probably just a couple of files that are locked, so could not be scanned. As long as it does not find 'infected objects' or 'infections'. You can post the log if you want to.

My posts may be a bit delayed this week, as I'll be spending more time away from my machine.

Alright, no problem, as long as you tell me if you will be away from the keyboard more than 5 days.

How's your computer running overall?

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 29th, 2008, 10:15 pm

Hi John,

The full Kaspersky scan came out essentially clean! :oops: I forgot to empty the trash though <she rolls her eyes>. Those were the files I mentioned being found at 25% complete. :p So after taking out the garbage… Hooray!
Feels good, huh.
Yes! It’s a very nice feeling. :thumbleft:


We aren't lucky, are we...
Shucks, I guess not. :| I have found some good information that leaves no doubt that the O15 lines are directly related to Internet Settings, Security Zones. However, I’m concerned about going further into a problem area that might be outside the sphere of focus for this forum and/or for you. I know you probably have plenty on your plate… (Though I am rather enjoying this conversation.)


Here is what I tell to people without Firewall software installed…
Thank you; good input! I have done some studying lately about “layered defense” and really like the concept. I plan on putting into place as many points as I can, outlined in this excellent article: http://networking.nitecruzr.net/2005/05/please-protect-yourself-layer-your.html

I also think the last post on this page is a very good guideline (probably the same author): http://www.tomshardware.com/forum/12027-42-question-hardware-firewall

My decision to use Online Armor as my new software firewall is based on the information I found here: http://www.matousec.com/projects/firewall-challenge/results.php#firewalls-ratings

What software firewall do you use? How do you like it?


… no problem, as long as you tell me if you will be away from the keyboard more than 5 days.
Gracious… :lol: I’m not sure I can fathom what it would be like to be away from it that long! ;)

How's your computer running overall?
I appreciate you asking, and I will answer truthfully, but I don’t want to press going outside the scope of what should be accomplished within this communique.

What has improved the most, and this seemed to happen after “the black screen of death” and the system’s recovery from “a serious error,” is program switching response time. It is MUCH faster and doesn’t stall or hang like it had been constantly. General performance, or process response time, is quite satisfactory now.

However, I’m troubled by what seems like OS problems, like HJT’s O15 lines, and the missing security setting options, and most recently, I tried to run the msconfig command from Start menu > Run, and, gulp, Windows couldn’t find it. I searched for it manually, and ran it directly from its resident location, but why I suddenly can’t run it from the Start menu is puzzling. Other commands seem to run fine from the Start menu.

Another bothersome item is that Zone Alarm gives me a repeated alert that started happening last August, when all the strange things started happening. It says “Generic Host Process for Win32 Services is trying to act as a server. Application: svchost.exe Source IP: 0.0.0.0 Port 135 ” I had made no changes that would have caused this. The alert doesn’t appear as frequently as it used to, but it occurs nonetheless. I’m working on reading about system intrusions that might utilize these pathways.

So, that's what I know for now. ;)

Cheers,
Annie

P.S. I'm not spooked about doing financial business online anymore. That's a BIG improvement :cheers:
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 30th, 2008, 8:20 am

Hello John,

Just a quickie before I go away from my computer until this evening...

I ran a Trend Micro online Housecall scan last night. It found malware called " tspy_gampass.bn "... "3 Infections" on my computer. The window pane where the file locations should have been was a blank :?: , so I was unable to select them for removal or cleaning.

Are you familiar with this? So far, I'm only finding vague information in Trend Micro's virus databases.

Hope you're having a good day.

~ Annie ~
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 30th, 2008, 2:36 pm

Hi Annie,

You have been busy again, haven't you ;)

I have found some good information that leaves no doubt that the O15 lines are directly related to Internet Settings, Security Zones. However, I’m concerned about going further into a problem area that might be outside the sphere of focus for this forum and/or for you. I know you probably have plenty on your plate… (Though I am rather enjoying this conversation.)

On another website I am also in training to become tech helper, so my knowledge about non-malware related problems is increasing a lot at the moment. Funny that I seem to be attracting non-malware related problems here as well nowadays. Anyway, it is a good opportunity to learn and I will not tell you to do things I am not sure of are safe :) Safety first. If we cannot come to a solution I can still recommend you to go to the forum where you can receive tech help.

My decision to use Online Armor as my new software firewall is based on the information I found here: http://www.matousec.com/projects/firewa ... ls-ratings

Online Armor is very good indeed. It is a pity the amount of people who know about it is really limited. I guess we will have to just watch how 75% of the people have Norton or McAfee. The world's unfair...

What software firewall do you use? How do you like it?

I use Comodo Personal Firewall v3. It fairly light on resources for my system, but one thing that I disabled is the Defense+ (tells you if files are created, etc.) because it drives you crazy when installing stuff.

However, I’m troubled by what seems like OS problems, like HJT’s O15 lines, and the missing security setting options

I will try and find out how the settings can be changed by accessing the registry. It could be that it is just a bug in HJT that makes it unable to fix it.

I tried to run the msconfig command from Start menu > Run, and, gulp, Windows couldn’t find it. I searched for it manually, and ran it directly from its resident location, but why I suddenly can’t run it from the Start menu is puzzling. Other commands seem to run fine from the Start menu.

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as All Files and name it "msconf.bat" (including quotation marks). Please save it on your desktop.

Code: Select all
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE" /ve /t REG_SZ /d %systemroot%\pchealth\helpctr\Binaries\MSCONFIG.EXE /f


Double click msconf.bat. A window will open and close. This is normal. Now reboot and give MSConfig another try using Run.

Another bothersome item is that Zone Alarm gives me a repeated alert that started happening last August, when all the strange things started happening. It says “Generic Host Process for Win32 Services is trying to act as a server. Application: svchost.exe Source IP: 0.0.0.0 Port 135 ” I had made no changes that would have caused this. The alert doesn’t appear as frequently as it used to, but it occurs nonetheless. I’m working on reading about system intrusions that might utilize these pathways.

Is your computer in a network with multiple clients (other computers)? I know that ZoneAlarm used to give me this warning when I tried to use Remote Desktop or filesharing in my network.

On the other hand it is strange that the source IP is 0.0.0.0 and port 135, because you would normally see the IP and port 135 is normally for services like DNS and WINS (try Wikipedia if you do not know what those are :) ).

I ran a Trend Micro online Housecall scan last night. It found malware called " tspy_gampass.bn "... "3 Infections" on my computer. The window pane where the file locations should have been was a blank :?: , so I was unable to select them for removal or cleaning.

Are you familiar with this? So far, I'm only finding vague information in Trend Micro's virus databases.

Very strange. TrendMicro says that it cannot be found in the wild:
http://www.trendmicro.com/vinfo/graywar ... GAMPASS.BN
That means you could not become infected with it without downloading a real test file. Not that this information can be compeletely trused, because how would they find out it exists if it is not found in the wild. If MalwareBytes' Anti-Malware and Kaspersky come back clean you should be clean. Can you please do another scan and tell me what the path of the files is?

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 30th, 2008, 3:47 pm

Hi,

To solve the problems with the O15 lines download DelDomains by WinHelp2002 and save it to your desktop.
  • Right-click on DelDomains.inf, and choose Install.
  • You may not see any noticeable changes or prompts; this is normal.
  • Then, please restart your computer, and post a new HijackThis log.
  • You will have to re-immunize with SpywareBlaster and Spybot - Search & Destroy after doing this.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 31st, 2008, 1:49 pm

Hi John,

Thank you for such nice, detailed responses. You are very patient, and interacting with you is very pleasant.


On another website I am also in training to become tech helper, so my knowledge about non-malware related problems is increasing a lot at the moment. Funny that I seem to be attracting non-malware related problems here as well nowadays. Anyway, it is a good opportunity to learn and I will not tell you to do things I am not sure of are safe Safety first. If we cannot come to a solution I can still recommend you to go to the forum where you can receive tech help.
Excellent! This is very reassuring. It is indeed interesting how our minds perceive and make choices, even if unconsciously, that take us in directions we wish to go. I will enjoy learning with you.


Online Armor is very good indeed. It is a pity the amount of people who know about it is really limited. I guess we will have to just watch how 75% of the people have Norton or McAfee. The world's unfair...
It certainly IS a pity. Though, it may not be a matter of fair or unfair. There are reasons people make the choices they do, and from my perspective, the true pity is that so many people lack the wherewithal to do anything but follow what is put in front of their noses, without questioning or thinking. Yes, to watch is sometimes all we can do with ignorance, and also protect ourselves from it! We can also feel fortunate to embody higher intelligence, and sometimes, we can teach or share our knowledge, and it may actually make a difference.


I use Comodo Personal Firewall v3. It fairly light on resources for my system, but one thing that I disabled is the Defense+ (tells you if files are created, etc.) because it drives you crazy when installing stuff.

Excellent.

------------------------------

Thank you for the msconfig batch file . What a slick fix... very smooth 8) and runs fine now. The DOS command window is not completely foreign to me. In fact, I was just learning DOS when Windows first began to be popular, in the early 90s, then the whole computer world changed phenomenally…

------------------------------

Regarding the Zone Alarm alert: “Host Process for Win32 Services is trying to act as a server. Application: svchost.exe Source IP: 0.0.0.0 Port 135 ”
Is your computer in a network with multiple clients (other computers)? I know that ZoneAlarm used to give me this warning when I tried to use Remote Desktop or filesharing in my network.
Just a very small home LAN with two computers. My computer connects to the internet through the second computer and file sharing is on. The LAN is wired with CAT5 cable.

The ZA alert is not very troublesome, and there is no great need for us to spend time on it, unless for learning or exercise. I’ll be replacing ZA soon with Online Armor. Perhaps that will reset some things.


------------------------------

Regarding TrendMicro finding tsp_gampass.bn…
Can you please do another scan and tell me what the path of the files is?
I found the file paths in a Housecall scan I had run several weeks ago and dismissed. <Again, she rolls her eyes> Please pardon me for mentioning it. They were on my secondary hard drive (which is in sore need of formatting) - old, out-of-use copies of software that were accompanied by a patch. Like you say, most likely not a problem.


------------------------------ Shwew.

So, now to narrow focus down to the O15 lines. I ran DelDomains, and shucks, it didn’t work. Amazingly, I think I can explain why:

I found what looks to be the exact entries in my registry to which the O15 lines refer. I also found one article in Microsoft’s knowledge base that discusses this area of the registry.

Here are a couple screen shots, one of my registry showing the specific entries, (I have done nothing but view the entries – no changes made) and one from the Microsoft article showing the key values that correspond with each security zone.
O15 entries,Registry.doc


In looking at what DelDomains does, it deletes and replaces only the Restricted and Trusted Zones, zones 4 and 2 respectively. The O15 lines and their corresponding registry entries deal with zones 0, 1 and 3, all the zones that DelDomains does not touch.

So then, according to what we see in my registry, the “ProtocolDefaults” are in the correct zones, making the O15 statements HJT has come up with untrue.

My next questions would be (just thinking out loud): Is it an HJT bug that’s causing the O15 entries to be created? (I’ve thought about contacting Trend Micro to ask what causes these statements to appear.) Or, Is there a conflict somewhere else in the registry, or elsewhere in the system?

Using the find function in regedit, I couldn’t find those protocol names (@ivt, file, ftp, http, https) anywhere else in the registry, and I can’t quite imagine where else a conflict might exist. Nevertheless, some kind of conflict makes at lease some sense when considering the mysterious, missing security settings fields in the Internet Options GUI.

That’s as far as I’ve gotten with that. :?: Perhaps running a batch file similar to the msconfig.bat or DelDomain.inf files, that deletes and recreates this registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults might be worth trying :?:


Well, in several hours we begin a new year. Happy New Year to you, John. :happy7:

Annie


P.S. Off the top of your head (no need to kill time on it - I can search), do you happen to know of a tool or utility that can view the registry without being in edit mode? Though I’m not afraid of going into the registry, I’d feel better knowing possible mistaken keystrokes would have no effect.
You do not have the required permissions to view the files attached to this post.
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 31st, 2008, 2:30 pm

Hi Annie,

Thank you for the msconfig batch file . What a slick fix... very smooth 8)

Hehe, not created by me, I just copy-pasted it ;) ComboFix had a bug which created this problem and the developer fixed the bug and told us how to fix it (.bat and .reg wise).

I know the basics and a little advanced stuff (for commands, etc.) but not all those switches that we used to make sure that somebody with drive D as system drive would not have problems.

The ZA alert is not very troublesome, and there is no great need for us to spend time on it, unless for learning or exercise. I’ll be replacing ZA soon with Online Armor. Perhaps that will reset some things.

We'll see :)

Please try a manual version of what DelDomains does in general:
Step 1: Back up the registry
  • Download ERUNT
  • Save it to your desktop. Run and install this program.
  • In the box that opens only choose System registry
  • Then click OK.
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Step 2: Run RegFix
Please do this:
  • Copy the contents of the Code Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • Save it on the desktop
Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]


Make sure there are NO blank lines before REGEDIT4.
Make sure there are IS one blank line at the end.
  • Now close the window. Also close any other windows which are opened!
  • Then double-click on the fix.reg file, and when it prompts to merge say yes.

Make sure you reboot afterwards.

P.S. Off the top of your head (no need to kill time on it - I can search), do you happen to know of a tool or utility that can view the registry without being in edit mode? Though I’m not afraid of going into the registry, I’d feel better knowing possible mistaken keystrokes would have no effect.

I understand that you are afraid. Unfortunately, I do not know of any registry viewer that has no edit mode. I can ask the others if you want to? The safest way is to just back up with ERUNT when you enter the registry.

Please let me know. Happy new year in advance (exactly 4,5 hours left here)!

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Clear HJT Log!

Unread postby EtchaSketch » December 31st, 2008, 7:44 pm

Hi John,

:occasion7: Happy new year in your part of the world. Six and a half hours more before the clock turns here.

To celebrate, here is my HJT log, free of O15 lines! Yipee! :cheers: You did it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:35 PM, on 12/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberPower UPS\ppped.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\CyberPower UPS\pppeuser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\EarthLink Accelerator\propelac.exe
C:\Program Files\TurboNote\tbnote.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 3.0\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmessenger.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\EARTHL~1\PRPL_I~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower UPS\pppeuser.exe"
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/sc ... canner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9523293859
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9522871890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower UPS\ppped.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7360 bytes

The Internet Security Settings GUI is still a blank. Hmmm. :scratch:

No bother on the registry viewer. I can always search for one, and backing up with Erunt before entering is sound practice.

:sunny: Annie :sunny:
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » January 1st, 2009, 10:40 am

Hi Annie,

Happy new year in your part of the world. Six and a half hours more before the clock turns here.

Must be 2009 on your side of the world now as well ;) Happy new year! Hope it'll be a good one for everybody.

To celebrate, here is my HJT log, free of O15 lines! Yipee! :cheers: You did it.

And you did not edit the log to make it free of O15 lines? ;) How's the computer and browsing working?

The Internet Security Settings GUI is still a blank. Hmmm. :scratch:

First of all, I recommend that you run Microsoft Update and install Service Pack 3. This may solve it. If not, we can try more stuff. Make sure that you do not use the computer while installing Service Pack 3 and on reboot you will need to follow a couple of steps given.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » January 2nd, 2009, 1:31 am

Hi John,

And you did not edit the log to make it free of O15 lines?
Tehehe… I’ll never tell. :angel9:

I wouldn’t mind understanding more (which means a LOT ;) ) about what DelDomains is and how it works, what the code we ran did, and what if anything it might have improved. How would you summarize what the code did? Did it do more to my system than just get rid of some pesky lines in an HJT log?

Whatever the case, I’m just very glad it worked.

How's the computer and browsing working?
Overall my computer is zipping right along. General processes and window/program switching are running smooth. :happy3:

Browsing is NOT consistent or stable. There are times when pages won’t load at all, other times when they will load after retrying several times, and then there are the great times when it seems like a dam breaks and all the tabs load, every time, and speedily too. Generally, I’d say at least 50% of the time, there is difficulty loading web pages. Some factors to know are:
    - Most of the time, my computer connects to the internet through another ICS computer.

    - There are times when disconnecting the dial-up and redialing solves the problem.
    - There are times when a Windows “repair” on the LAN, on one or both computers, will get pages loading again.
    - There are other times when the only thing that helps is to restart the ISC machine, and sometimes both machines.
    - On occasion, my computer might be dialed up directly. At those times there is usually not a problem loading pages, particularly if my machine has been restarted recently.


First of all, I recommend that you run Microsoft Update and install Service Pack 3.
Sounds like a good plan to me; it’s been ‘on the list’ and I'm glad to get it done. I just started the download… 316 MB at an average of 2, 5 KB/s looks like it might take two or three days or more. I’ll have to pause it when I want to use the internet otherwise, so it will depend on my usage. I’ll keep you updated daily with progress.

In the mean time, is there anything else we want to tinker with?

Hope your first day of 2009 was wonderful, and so too may the remainder be.

Cheers,
Annie
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » January 2nd, 2009, 11:55 am

Hi Annie,

I wouldn’t mind understanding more (which means a LOT ) about what DelDomains is and how it works, what the code we ran did, and what if anything it might have improved. How would you summarize what the code did? Did it do more to my system than just get rid of some pesky lines in an HJT log?

All it does it reset the domain and zone settings to default. Pure and simple ;) Why DelDomains did not work and the regfix did? I don't know.

Browsing is NOT consistent or stable. There are times when pages won’t load at all, other times when they will load after retrying several times, and then there are the great times when it seems like a dam breaks and all the tabs load, every time, and speedily too. Generally, I’d say at least 50% of the time, there is difficulty loading web pages.

This may very well be a problem with your ISP. Have you called them to check if something is wrong with the line? They should be able to test that. Even if the line is not at fault, it could still be that the ISP is just bad. Have you always had this problem or got it later? Know when? When you started using the ICS technique? Changing of networking technique is not a possibility?

Hmm, did not know you were on dial-up. Here is a link to order Service Pack 3 on CD if you prefer this:
http://www.microsoft.com/windows/produc ... _id=20399b

Until you have installed it I do not know if it solves your GUI problems, so there is nothing to do.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » January 3rd, 2009, 1:26 pm

Hi John,

All it does it reset the domain and zone settings to default. Pure and simple
I see. Thank you.


Regarding difficulties with browsing: Contacting my ISP (Earthlink) sounds like a good call. I actually have an open 'trouble ticket' with them right now, so I can move things in the direction of doing some line testing and whatever troubleshooting they are capable of doing.

I've been using the ICS technique for as long as I've had Earthlink (seven years). I move frequently, and the problem, now that I think about it, has been since I have been in my current location (about two years). Another change that occurred about two years ago is the ICS machine was switched out. Hmm.... same operating system, also started using Zone Alarm on both machines about that time. Closing or reconfiguring Zone Alarm has helped sometimes. Then other times there's no change with ZA running or not.

Changing my networking technique certainly is a possibility and something that may well fix the problem. I'm just not very savvy with the options. Right now the machines are wired together through an Ethernet hub. I know wireless is an option; I currently don't have any of the equipment for that. Only the ICS machine (a laptop) is set up for wireless at the moment. I'm in the process of taking the laptop out of the loop and replacing it with a desktop system. I'm also considering putting a third computer, or router, or external modem(?) in the loop to act as a firewall and dedicated internet gateway - if that is possible (working on learning more about that).


I appreciate the link for ordering SP3 on CD. My download is 70% complete at this point, so I'll just let it run while I accomplish other tasks. Looks like I've got a bit of preparation work to do before installing SP3. I encountered "Prerequisites to Install Windows XP SP3" here http://support.microsoft.com/kb/950717 while gathering information. Would you say all this is necessary/sound advice?

Thanks,
Annie
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » January 3rd, 2009, 2:21 pm

Hi Annie,

I've been using the ICS technique for as long as I've had Earthlink (seven years). I move frequently, and the problem, now that I think about it, has been since I have been in my current location (about two years). Another change that occurred about two years ago is the ICS machine was switched out. Hmm.... same operating system, also started using Zone Alarm on both machines about that time. Closing or reconfiguring Zone Alarm has helped sometimes. Then other times there's no change with ZA running or not.

If you like the new firewall software you may want to also get rid of ZoneAlarm on that machine. Still, because you are saying not only ZA is at fault here, I am not confident with only changing of firewall software ;)

Changing my networking technique certainly is a possibility and something that may well fix the problem. I'm just not very savvy with the options. Right now the machines are wired together through an Ethernet hub. I know wireless is an option; I currently don't have any of the equipment for that. Only the ICS machine (a laptop) is set up for wireless at the moment. I'm in the process of taking the laptop out of the loop and replacing it with a desktop system. I'm also considering putting a third computer, or router, or external modem(?) in the loop to act as a firewall and dedicated internet gateway - if that is possible (working on learning more about that).

It is a pity that an important forum I was learning tech helping at recently closed because of financial reasons and lack of time, because there was some nice information there about hubs and routers. The easiest way to setup a home network is to buy a router (does not have to be wireless, but can be) and connect that to the modem you got from your ISP (or directly to the ISP if you have that now). Connecting the clients to the router and maybe running through some steps in the manual is all that needs to be done. Most people have this and I am sure you will be able to accomplish that as well.

I appreciate the link for ordering SP3 on CD. My download is 70% complete at this point, so I'll just let it run while I accomplish other tasks. Looks like I've got a bit of preparation work to do before installing SP3. I encountered "Prerequisites to Install Windows XP SP3" here http://support.microsoft.com/kb/950717 while gathering information. Would you say all this is necessary/sound advice?

I do recommend doing those things, but like stated there: Do not disable your anti-virus and firewall software while connected to the internet. This means that you must go to that page and then disconnect from the internet. You will still be able to be on that page and now you can do all those steps (including disabling security) and install the service pack.

Please let me know :)

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » January 3rd, 2009, 6:40 pm

Hi,

It is a pity that an important forum I was learning tech helping at recently closed because of financial reasons and lack of time, because there was some nice information there about hubs and routers.
Aw, shucks. Sorry to hear hear this. Sounded like you enjoyed it... and it's always nice to have a good source of information in one place.

The easiest way to setup a home network is to buy a router (does not have to be wireless, but can be) and connect that to the modem you got from your ISP (or directly to the ISP if you have that now).
I'm not clear about connecting the router to the modem when the modem is internal. I have a dial-up network connection configured that utilizes an internal modem (no ISP-supplied modem). Is the router capable of dialing? Does it become the Internet Gateway, rather than the computer that is configured to be the ICS unit?

I will keep you posted on progress with SP3 installation and changing out the software firewall, computers, etc.

I sure appreciate your time and input, John. :)

Cheers,
Annie
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware