TechSpot

My computer is infected

By tallb
Feb 26, 2008
  1. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

  2. tallb

    tallb TS Rookie Topic Starter Posts: 65

    logs:
    and the avg is still running so ill upload it later :X
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    AVG = Step 14

    Hijackthis = step 15

    Can you please run Hijackthis again after AVG has finished and removed anything it finds.

    Next reply =AVG Log and new Hijackthis log
     
  4. tallb

    tallb TS Rookie Topic Starter Posts: 65

    i finished the avg scan please help me out now =/......
    and a new log
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Before I suggest a fix what country do you live in. Here is why I ask. A certain infection usually links to servers in the ukraine, russia, estonia, turkey part of the world. This could be normal if you live there. Normally I don't ask but you also have a hebrew translation file on there. I am pretty sure it is just the infection but wanted to make 100% sure that you didn't live in the region

    195.175.37.71: 80 transparent proxy server Turkey
     
  6. tomrca

    tomrca TS Rookie Posts: 1,000

    information for blind dragon

    from HERE
    Fresh anonymous proxy list.in addition did you notice wild tangent??

    Anonymous proxy servers help You to hide your IP address and so prevent unauthorized access to your computer from the Internet. Anonymous proxy server between the user and the web site protect user. Please use anonymous proxies for legal private activity only! Here is our fresh anonymous proxy list:
    199.196.63.224:80
    202.108.11.77:80
    202.108.11.137:80
    202.108.11.147:80
    195.175.37.71:80
    125.90.64.69:80
    60.195.248.146:80
    69.88.144.162:80
    216.163.188.40:80
    216.163.188.39:80
    125.90.64.72:80
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Thanks tom

    yea I already saw that site when I googled it. I messaged momok to look at this log, there were a few things that I wasn't sure on.
     
  8. tallb

    tallb TS Rookie Topic Starter Posts: 65

    well i live in israel and that file you saw usualy named as hebrew.exe or upsidedown.exe is a program that transform english into hebrew in a sec if you excidently type in the wrong language.
    what were those ip's you were talknig about? is this the ip that was hacking to my computer? incase you just wonder about the area than israel is really close to turkey, and usualy israel is annexed in online games and servers to turkey cause were so close.
     
  9. momok

    momok TS Rookie Posts: 2,265

    For Blind Dragon
    I would fix these HJT entries:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: SpearCast BHO - {93AE98A9-E4F6-4F76-BD98-872FA7D45E51} - (no file)
    O3 - Toolbar: Palore - {C44B1312-178E-40A7-8B32-FEC9D6F4A159} - (no file)
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

    In addition, these are files I would recommend deletion (from combofix)
    C:\WINDOWS\unins000.exe
    C:\WINDOWS\system32\khclkcs.dat

    Remember to flush system restore points when the system is clean.

    Regards,
    momok
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    @tallb

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
    -------------------------------------------------------------------------------------------------------

    After combofix has finished running.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: SpearCast BHO - {93AE98A9-E4F6-4F76-BD98-872FA7D45E51} - (no file)
    O3 - Toolbar: Palore - {C44B1312-178E-40A7-8B32-FEC9D6F4A159} - (no file)
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab


    Select Fix Checked

    Reboot the computer into Normal Mode

    and post a fresh Hijackthis log
     
  11. tallb

    tallb TS Rookie Topic Starter Posts: 65

    my results...
    whats next? :X
    am i ok now? :O
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Yes your logs look good.

    Run Hijackthis again - Do a System Scan only - put a check beside
    O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll (file missing)

    Select Fix Checked
    --------------------------------------------------------------------------------------------------------
    Go to start -> Run -> type in combofix /u
    *note the space between
    This will uninstall combofix
    *remove vundofix backups
    *remove quarentine files
    *create a fresh clean restore point

    Remove Hijackthis from Start-> control panel -> add/remove programs
    Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

    I recommend you keep
    1 anti virus program (AVG not anti spyware)
    1 firewall
    Spybot S&D, Adaware 2007, AVG Anti Spyware if you want but the version we downloaded is a 30 day trial

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
     
  13. tallb

    tallb TS Rookie Topic Starter Posts: 65

    ok man thx allot for the help ill let you guys know if it worked for me :)
    but how do i do these last steps?
    *remove vundofix backups
    *remove quarentine files
    *create a fresh clean restore point
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I guess I need to make that clearer, when you RUN-> combofix /u. It does all that for you
     
  15. tallb

    tallb TS Rookie Topic Starter Posts: 65

    oh mannnnn it just happened again :(
    BCCode : 10000050 BCP1 : E638C864 BCP2 : 00000000 BCP3 : BFA9F7C8
    BCP4 : 00000001 OSVer : 5_1_2600 SP : 2_0 Product : 256_1
    what do i do?? i was sure im finnaly ok now ;(
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Can you attach the last few minidumps here for us, click the attach icon (looks like paperclip) and navigate to C:\windows\minidump\minidump.dmp
     
  17. tallb

    tallb TS Rookie Topic Starter Posts: 65

    i used to have around 70 minidumps but now after i runed all the programs i guess they deleted it and now i only got 2 :X
     
  18. tallb

    tallb TS Rookie Topic Starter Posts: 65

    dude? :eek: it happened 4 times today already can you guys help me out? :X
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Probably caused by : DrvFltIp
    Probably caused by : nv4_disp.dll

    DrvFltIp
    http://www.symantec.com/security_response/writeup.jsp?docid=2007-092009-4412-99&tabid=2
    You must remove this Spyware
    Please view the above link, for files that are likely infected (and requiring removal)

    nv4_disp.dll
    There are a lot of issues found on the web with this Video driver (and a lot of fixes - none that seem to be the only fix)

    Try:

    Fully removing your Video drivers (even using a driver cleaner)

    Then installing the new drivers from:
    nVidia
    Or from here http://content.guru3d.com/newsitem.php?id=3508
    Or from your original install CD

    If that doesn't work:
    Set your bios to 64 Meg video (Windows will adjust anyway)



    Basically just a Video driver issue, made worse by Spyware.

    Please report back.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    so on the spyware side, first go to add/remove programs and try uninstalling spysure

    # Go to Start > Search > All Files or Folders.
    # In the "All or part of the the file name" section, type in "SpySure" file name(s).
    # To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
    # When Windows finishes your search, hover over the "In Folder" of "SpySure", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard and paste it here

    I will give better instructions once you get me the path
     
  21. tallb

    tallb TS Rookie Topic Starter Posts: 65

    if i remove my video driver wont my computer wont be able to display any thing?
     
  22. tallb

    tallb TS Rookie Topic Starter Posts: 65

    Search is complete.There are no results to display.
    :X
    what do i do ? :O
     
  23. tallb

    tallb TS Rookie Topic Starter Posts: 65

    i have changed the driver but my search result didnt show nothing about the virus what sall i do?
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    ok, try searching for the actuall files associated with it, and remember if you find one of these -> I need the path's of where it is installed. for example C:\Windows\spysure

    spysureinstallzip[1].exe
    syservice.exe
    servirsess.exe
    servircess.exe
    ashcap
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...