TechSpot

Logs attached, please help

By stopcrime2009
Apr 17, 2009
  1. I have been hacked bigtime. If you have time, please review my log. I am trying to figure out if I should just reformat my whole computer and reinstall Windows Xp.

    I am so afraid of what they got. They were using Skype to upload files, etc.

    Thanks in advance.


    CM
     

    Attached Files:

  2. touch

    touch TS Rookie Posts: 978

  3. stopcrime2009

    stopcrime2009 TS Rookie Topic Starter

    Please review these logs. Thanks.

    This is my 1st computer's log. This goes with the original post.

    Final log. Sorry.


    Please take a look at all of this. I truly appreciate it. Thanks in advance.
     
  4. touch

    touch TS Rookie Posts: 978

    I had not expected that you had sent the log files from two computers.

    Let us take one computer at a time, otherwise it becomes confusing ;)

    I also notice you have two Antivirus programs running ->
    "Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
    Not more."

    Remove/uninstall from "Add/remove programs" in controlpanel:
    One of Your antivirus programs


    Then, please run 8-step Viruses guide, on computer Nr. one:


    Post attached log´s from:

    Malwarebyte
    Superantispyware
    Hijackthis


    In your next reply
     
  5. stopcrime2009

    stopcrime2009 TS Rookie Topic Starter

    1st computer log files attached

    Thanks for helping me with this. This is computer 1.


    Please review the attached files.

    Thanks in advance.
     
  6. touch

    touch TS Rookie Posts: 978

    The following are not spyware/malware, but I suggest you place a check mark next to the following entries and hit Fix checked, as these programs may be taking up system resources.

    O4 - HKLM\..\Run: [ISUSScheduler] \"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe\" -start
    (Description: InstallShield updater - not needed at startup. Removing this may free up system resources.)
    O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
    (Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
    (Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    (Description: RealPlayer system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\"
    (Description: Adobe reader startup - unnecessarily uses system resources.)


    Reboot, if computer Nr. 1 are running fine, i´ll suggest you continue with computer Nr. 2 ;)
     
  7. stopcrime2009

    stopcrime2009 TS Rookie Topic Starter

    Thank you for responding. I appreciate it. I also would like to know what the top of the line, antivirus, all in one suite, I could buy from now on. I want to have complete protection. I cannot trust my former suite at all. Too many trojan dowloaders got through.

    Thanks.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You have McAfee and Symantec presently installed so I agree they both aren't good

    Do this, and you will be much better off ;)

    Uninstall your McAfee Antivirus
    Then run the McAfee Removal Tool

    Restart

    Uninstall your Symantec (or Norton) Antivirus (if it's even listed in Add\Remove programs)
    Then run the Norton Removal tool

    Restart

    Install Avira free AntiVirus (being the best one IMO)
    Update it, then run a full scan

    Much better off :)
     
  9. stopcrime2009

    stopcrime2009 TS Rookie Topic Starter

    I will post logs up tomorrow for computer #2. Thanks again.

    Ok I will do this in the morning. I did not even know I have Symantec on here also. I will put the Avira on. Thanks.

     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's review the security programs: Who's Confused?!


    The HJ log for Logfile of Trend Micro HijackThis v2.0.2, Scan saved at 4:37:12 PM, on 4/18/2009 (Post 3#) shows
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    AND
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    AND
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

    Thee HJ log for Logfile of Trend Micro HijackThis v2.0.2, Scan saved at 10:26:27 PM, on 4/20/2009 (Post #3) shows
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe ONLY


    Computer #1: Post 3: shows the McAfee Suite and Avast
    Computer #1: Post 5: shows Avast only. McAfee removed.
    Another HJ log in Post 3:
    Logfile of Trend Micro HijackThis v2.0.2, Scan saved at 6:15:56 PM, on 4/18/2009 shows
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    AND
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    Actually, there is Avast already installed and running. There are also 2 entries left from Symantec/Norton which can be removed by running the Norton Removal Tool.

    IT would be very helpful of you clearly told us WHICH of these logs is for Compute #2 as they are all presented as Computer #1.

    My suggestion would be: If you have Avast or Avira, don't make a change. If you have PAID for the McAfee Suite, I would urge you to keep it for now. If it is only trial version, okay to uninstsall. Otherwise, remove the free programs and wait until the McAfee subscription comes due and THEN male a change.

    But I would like to discourage you from having ANY suite. You can find free standing, free antivirus program, firewall and spyware/adware programs. Why pay for a suite- especially one that doesn't work ell.

    But understand that you, the user are the first line of defense on computer security. No matter what security programs you have in place, what you do while online-email and surfing-makes the final malware decision!

    You have TeaTimer running. Real Time Protections must be temporarily disabled while scanning:
    SPYBOT TEATIMER

     
  11. stopcrime2009

    stopcrime2009 TS Rookie Topic Starter

    I am sorry. I thought I only uploaded computer 1 in the end. The final post with attachments.

    Post #5 is the correct post for computer #1. I will disable teatimer.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Confirm please: Computer #1 is running Avast as the only AV program.

    touch will finish with your logs.
     
  13. stopcrime2009

    stopcrime2009 TS Rookie Topic Starter

    Yes computer 1 is only using Avast now. Thanks.

    Here is computer #2 logs. Thanks in advance.

    Problem with computer #2

    Avira found the trojan, TR/Vundo.Gen

    It was quarantined and then deleted. Should I do anymore with this?

    Thanks!
     
  14. touch

    touch TS Rookie Posts: 978

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2413] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5388] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB7771] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD8625] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
    O18 - Filter hijack: text/html - {5ca02e1f-6fbf-4522-8ba6-5a131f4601e3} - (no file)



    Reboot, attach new hijackthis log
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...