TechSpot

Help with a HijackThis log

By onacomputer1
Jun 3, 2007
  1. Hi everybody.. my firewall was freezing a bit and acting weird, so I had to re-install it. I'm a little paranoid that somebody might have accessed my computer or personal information.. Could you check my HijackThis log and see if anything bad has happened, or if I have any malware or anything? I appreciate it!
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hi and welcome to TechSpot! :wave:

    You're running an outdated version of HijackThis, and you haven't renamed it. This is important because some malware can hide from the original filename.

    Please do the following.

    Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

    Regards :)

    This thread is for the use of onacomputer1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Whew, I finally got through all the steps!

    I've attached the fresh logs. :)

    Oh yeah, and the AVG anti-root thing said it didn't find any infected files.

    Thanks!
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    All the items in your AVG Anti-spyware log say No Action Taken. That's because you haven't set the program to deal with the results correctly. Follow the instructions here and then post a fresh AVG Anti-spyware log.

    It appears that you have Spyware Terminator installed. This program was at one point listed on the rogue/suspect antispyware list. It was eventually delisted, but it cannot be recommended because of its reputation, and there are enough other tried-and-true trustworthy antispyware products that it's not worth running.

    Please copy and paste these instructions into a Notepad file (.txt) and save it to your desktop. Then you can have the file open in safe mode.

    Boot into safe mode, under your normal user name (not the administrator account). See how HERE.

    In Windows Explorer, turn on "show all files and folders, including hidden and system." See how HERE.

    Go into Add/Remove Programs in your Control Panel and uninstall anything having to do with Spyware Terminator or PartyPoker.

    Run HijackThis with no other programmes open (except Notepad). Place a check in the box next to the following entries (if there):

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

    Click the Fix Checked button. Close HJT.

    Reboot into normal mode and then rehide your protected files, by doing the reverse of the above instructions.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    Please post fresh HJT, AVG Anti-spyware, Avenger, and ComboFix logs as attachments into this thread.

    Regards :)

    This thread is for the use of onacomputer1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  5. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Hi.. when I run HJT, AVG Anti-Spyware, Avenger, and ComboFix, should those all be in normal mode instead of safe mode?
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Ideally you should run your AVG Antispyware scan in safe mode. The remaining should be run from normal mode and the logs saved. Remember to unhide all your files and folders in safe mode before doing anything.

    In addition to the instructions kitty provided, I'd like you to also do the following while you are in safe mode.

    Navigate to the following files and delete them (note: some of them are hidden, so you have to show all files and folders)

    C:\WINDOWS\system32\instlsp.exe
    C:\WINDOWS\system32\5C339C16EE.sys


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Alright, I removed deleted those 2 files you requested.

    For the AVG Anti-Spyware scan, I did put the setting to "quarantine", but it still deleted all the tracking cookies (but it did quarantine the other 2 things it found..)


    So were there any nasty files or programs on my computer that someone could have used to access my computer or information? Or was it all just minor stuff?

    Thanks again. :)
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your AVG log still shows no action taken for all entries. Did you save the log after you performed the quarantine action? Please post a fresh log for us to confirm.

    Have HijackThis fix this entry:
    O4 - Global Startup: Free WebSite Tools.lnk = ?

    As far as I can tell, your logs are clean. When we're done with AVG antispyware, I'll provide some final cleaning instructions and you'll be good to go.


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Okay I get what you mean with the AVG Spyware log, except this time only tracking cookies showed up, and it would only let me delete them instead of quarantine, so I hope that's okay.

    Anyways, here's the 2 fresh logs:
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    You may also delete the avenger folder and its contents.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Hello --

    Yesterday I was trying to retrieve a digital photo that I had deleted a few months ago, so I installed some programs that look through the memory card of the digital camera to try and retrieve files that had been deleted. Anyways, none of them found the file I needed, so I un-installed all of the programs. But today when I turned on my computer, a warning popped up that was some sort of memory error, and it said "Press okay to terminate the program, or cancel to debug". So I restarted my computer and then a message popped up that said

    "To help protect your computer, Windows has closed this program.

    Name: Generic Host Process for Win32 Services
    Publisher: Microsoft Corporation

    Data Execution Prevention helps protect against damage from viruses and other security threats."

    Anyways, I'm freaking out that one of the programs I installed might have been spyware and that they could have gotten a copy of each of the photos it found on my digital camera memory card? Is it possible that could have happened? I'm really worried about this, I want to make sure nobody could have gotten any of my family pictures.
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    It looks to me like you have gotten your system reinfected. Once again, I would require you to do the following.

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Hello.. I'm starting to run through all those steps again, but I'm wondering if you'll be able to tell if someone/something was able to access those digital photos retrieved from the memory card that the programs were looking for?
     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Frankly, I'm not very sure about that, but I guess if the programs did retrieve the photos the files would have to be temporarily saved somewhere? After looking at your logs I'll be able to provide you a little more information on those progams and whether they send out sensitive/private information.


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Alright, I ran that online virus scanner and for malware it found "EXPL_MHT.AF" and for Spyware it found "FREELOADER_SMITFRAUD" and "RAP_GENERIC". It cleaned up the malware thing fine, but it froze when trying to clean the 2 spyware parts.

    The anti-root scan found no infected files. My virus scanner found no viruses in safe mode. SS&D didn't find anything either, and Ad-Aware only found 4 tracking cookies.

    Here are the 3 fresh log files for the other 3 programs: (I hope this gives you enough information to know if any of my personal photos/information was infiltrated!)
     
  16. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
    Drag the Combofix-Do.txt over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    Judging from the infected files from your logs, I would say that your photos are likely to be safe.
    You had been infected with Spectre spyware, which takes screenshots of your computer at intervals and saves them in a password protected database. I checked a few different sites, and none show any sign that the spyware copies existing files to send out over the internet.

    Please post the fresh combofix log in your next reply.


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Hi, I don't see an attachment to download that file.


    Also, is there anyway to tell what time and date this specific spyware program was installed on my computer? And is there anyway to tell if it was successful in capturing screencaps? That error message I got said that it stopped a bad program, so even if it was installed, wouldn't it have been useless? I also have a firewall, virus shielding, and spyware shielding always running on that computer.

    Thanks!
     
  18. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I'm terribly sorry about that. Must have forgotten to attach (was very sleepy last night :p)
    Here it is.

    Regarding the spyware, some of the latest created files show this date and time:
    2007-06-16 20:05
    another earlier one shows:
    2007-06-16 19:23

    Depending on when you discovered the infection, the spyware could have taken a few screenshots of your system. Should you have any logged in to any accounts with sensitive information I suggest you change all your passwords immediately, and notify any relevant authorities.
    Firewalls and real-time monitors can do the job but it also depends on the user's settings and online habits.


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    So I'll never know if they did get screenshots of all the pictures? :(

    By the way, is there anyway to find out when you installed programs on your computer, even after you've un-installed them?

    Here's the fresh log:
     
  20. momok

    momok TS Rookie Posts: 2,265

    Hi,

    The spyware actually secretly takes screenshots of your desktop secretly whilst you are using the system. This means if you never managed to access your pictures, the screenshots would never include them.

    For the programs, the only way I know is right click on the folder > properties and see the date created. I'm not sure of how to find out if the entire file and folders are already removed from your system.

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    But when I was looking through the screenshot previews for all the photos it found on my memory card, it could have been taking secret screenshots of all of that? I really, really need to know if the spyware was able to take any screenshots. If I had someone look at my computer in person that was trained in computer security, could they be able to tell if the spyware worked? I sound like a broken record, but I really need to know..

    Thanks.
     
  22. momok

    momok TS Rookie Posts: 2,265

    Hi,

    To my best of knowledge, the screenshots are taken during configurable intervals, but unknown to us. So the possibility exists that your pictures were "seen" and taken by the spyware, or it might not have taken a screenshot at all during the time your were viewing your pictures.

    Please see HERE.

    I would suggest that since the images were highly sensitive, you take every precaution that you had in mind in case the screenshots did capture the pictures when you were viewing them.

    I wouldn't know if the spyware did work; Unless of course you had removed the infection before viewing your pictures.


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    So if the spyware did capture my pictures, who has access to those screenshots? Just some random person?

    Even after I executed the ComboFix txt thing, I'm still having problems.

    Today when I booted this computer, an error titled "internal window: svchost.exe" came up and said "The instruction at "0x00000103" references memory at "0x000000103". The memory could not be "written"." Click on OK to terminate the program. Click on CANCEL to debug the program.

    Then I tried to open firefox, and it froze my computer, and Windows Task Manager wouldn't come up either. So then I restarted the computer, and I got that message that I received when I first knew something was wrong that says "To help protect your computer, windows has closed this program." It was worded exactly like how I received it the first time.

    What should I do?
     
  24. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You could have a windows problem.

    I would suggest that you do a repair via this thread HERE.


    Regards,
    Your friendly momok =)

    This thread is for the use of onacomputer1 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. onacomputer1

    onacomputer1 TS Rookie Topic Starter

    Hello,

    If I'm still getting the same error now as I was originally a couple days ago even after I removed those files with ComboFix, then can we be sure that the "Spectre" spyware was actually running/causing the problem?

    Also, does spyware need to go through a computer reboot to be "activated", because I hadn't rebooted my computer for the first time after the spyware being installed until AFTER I had used all the programs to look at my pictures, so that would mean I would be in the clear if that's true.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...