brq.txt
Registry Mechanic has stopped running, the computer has been going slow, and when I try to install spyware/trojan scanners in my PC (running XP Professional), I get a message saying that access is denied and I don't have the admin rights, etc. This is from a user account specifically with user rights. I have a file called brq.txt in my Paltalk received files (not sent with my permission, and via a user account which did not have administrative rights to download anything, so it has me bugged). Avast antivirus and ZoneAlarm detected nothing, but if it is in Paltalk received files, I suspect that it has somehow come through that chat program. I thought it might havebeen RBOT.BRQ, since the file name was the same, and the contents of the file are an IP address, which is consistent with the description given in the Trend Micro site, but when I look at their instructions for manual removal, none of the Windows processes that are supposed to run in this worm are present, nor are any of the suggested registry entries for that worm. So I'm guessing it's another worm that is similar. Does anyone know what particular worm this is? If I know, perhaps I can find out some way to manually delete it (suggestions gratefully received at this point). This is the second worm we've received in a couple of months through this chat program, but my mother insists on using it. We've even taken the precaution of restricting most user accounts to limited access to minimise the threat. We haven't hooked up our hardware firewall again yet since we've got it back from the shop. Nothing is in My Network Places that is unusual, although there seems to be some residue from where it was obviously hooked up at the university repair shop (was put in a workgroup with their computers, I think, because they had to transfer stuff - the names correspond to the name of the computer shop, and they have always been trustworthy). Can't think of any other relevant info to add.
0
This discussion has been closed.
Comments
That file doesn't seem like a worm...
Do this
Create a folder in your C: and call it HJT
Go here and a program called HijackThis (HJT) and save it in your new folder
Unzip HJT and create a log. Post it here
Here is the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 7:04:20 PM, on 7/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE
O4 - Global Startup: Scheduler.lnk = C:\Program Files\Prolink\PlayTV Pro\TVSCHL.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I think maybe you're right about it not being a trojan. Although Trojan Guard Gold said I had one, Spybot Search & Destroy and a few others never detected any. I'm not sure what I do with this log, however. But if you can point me in the right direction, maybe I will be able to learn some skills that will help me if (God forbid!) it should ever happen again. I'm very eager to learn to handle this sort of thing so I don't necessarily have to go running to a computer tech shop every time something goes wrong, and I have a long way to go before I'm in this position yet!
Step 1
You are currently running HijackThis from here:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip
Please make a folder here:
C:\HJT
and place HijackThis in that folder so backups can be created.
DO NOT follow the steps below until you have moved HijackThis
Step 2 - After doing the above
Go to Add/Remove programs in Control Panel and look for the following
Spyware Cleaner
If found, please uninstall.
Step 3
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Step 4
You may want to print these instructions or save them as you'll have no internet connection once in Safe Mode
View hidden files and folders – explained here
Go into Safe Mode - explained here
Step 5
Once In Safe
We need to DISABLE SpyBots TeaTimer as it may interfere with the fix.
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Exit SpyBot
Step 6
Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
Step 7
Find and Delete the following:
C:\Program Files\Spyware Cleaner << this folder
Step 8
Run Ewido (Do not use the computer while Ewido is scanning as it may interrupt the scan)
- Click on scanner
- Click Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
Close EwidoStep 9
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
I went back into normal Windows and attempted to run the program and I was denied access to the folder containing the program (was also listed as an empty folder). I then moved into another user name on this PC and got access to the folder (It wasn't empty!!!).
When I did try to run a scan using Hijack This, I got a message stating that I was denied access to running this program. The program did display a message saying that I would have to remove it manually. The instructions, which I followed, said to click on 'run' and type in the following:
notepad "C:\WINDOWS\System32\drivers\etc\hosts"
press enter, find the line 'Hijack this reports', delete, and save the file as "hosts". When I tried to do this, I got the message that the file location I typed in didn't exist. So I couldn't even do that. I did check to make sure that it was typed in accurately, and I could not find any errors in typing.
Thanks so much. This is the second time I've been hijacked in 2 months, despite following every precaution given to me by the techs who had to reformat my computer last time. I'll be glad to get proactive!!!
ewido anti-malware - Scan report
+ Created on: 11:27:40 PM, 7/01/2006
+ Report-Checksum: 5AD90B6
+ Scan result:
:mozilla.24:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Com : Ignored
:mozilla.25:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Com : Ignored
:mozilla.26:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Com : Ignored
:mozilla.29:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.22:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.23:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.24:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.25:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.26:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.27:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.28:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.41:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@serving-sys[1].txt[/email] -> Spyware.Cookie.Serving-sys : Ignored
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@techrepublic.com[1].txt[/email] -> Spyware.Cookie.Com : Ignored
:mozilla.116:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.117:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.118:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
C:\Documents and Settings\Tricia\Cookies\tricia@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.6:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\y20ytlch.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Michelle\Cookies\michelle@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Michelle Bullas\Application Data\Mozilla\Firefox\Profiles\asall375.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@2o7[2].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@ad.yieldmanager[1].txt[/email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@advertising[1].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@atdmt[2].txt[/email] -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@bigpond.122.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@com[2].txt[/email] -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@doubleclick[2].txt[/email] -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@questionmarket[1].txt[/email] -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Michelle Bullas\Cookies\michelle [email]bullas@tribalfusion[1].txt[/email] -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Tricia\Application Data\Mozilla\Firefox\Profiles\czk6ud4i.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@bigpond.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@ehg-techtarget.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Tricia\Cookies\tricia@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\WildTangent\Components\SystemConfig0100.dll -> Spyware.WinAD : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 11:33:38 PM, on 7/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PowerS.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE
O4 - Global Startup: Scheduler.lnk = C:\Program Files\Prolink\PlayTV Pro\TVSCHL.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Are you still have problems? If so, what are they?
1. Registry Mechanic will no longer correct problems. If you reinstall it the same thing happens.
2. Every time I try to install any sort of software (even if the user account specifically has computer administrator rights), I get the message that access is denied, or I don't have the authority to do anything unless I log in as a member of the power user group or Administrator (the other account which is only accessible using safe mode). We have had the whole computer reformatted about a month ago, have never had any 'power user group' with admin rights on this computer, and I have checked with the university computer repair shop to check that this wasn't any sort of residue from linking it up with their computer workgroup while it was being purged of the last hijacker. They have said categorically that it is not.
3. Once I started following the instructions you set out in the last post, I was doing it from my user account. I went to look at the folder where I had placed the security software (in my mother's user account through documents & settings\tricia\my documents\security downloads), and it gave me a message that I did not have the rights to access this folder. (I had been able to do that up until the previous day.). Underneath the icon it indicated that this folder, furthermore, was empty. I changed to the other user account and it was not empty. Also, as soon as I started to try to look at this folder, the whole computer went on a 'go slow'. Speed is normal now, but I notice that if I make any action that is specifically geared towards any sort of security scan or repair, the same thing will happen.
4. Prior to posting, I did find a file in Paltalk received files that was not put there by me. I was denied access to remove it. I eventually managed to do so after I got wind of the fact that many of the stuff that intruders put in doesn't really work in safe mode. It contained an unrecognised IP address, had not been there until that day, and was not related to my own ISP. Apparently, several of Mum's friends have also had strange things like that put into their received files whilst using the chat/messaging program.
5. My security software does not seem to be picking up things the way it did prior to finding this file. Not even the usual amount of false positives which usually seem to arise. (I'm using Avast anti-virus and Zone Alarm.) My anti-virus continues to update daily, but the lack of effectiveness seems to correspond with what I experienced the last time the browser was hijacked. All security software is experiencing this at present. It's almost like it has been specifically targetted.
6. I have checked My Network Places. There is nothing amiss there - no strange computers networked to it. There are still the computer shop workgroup computers listed under the workgrouped computers, but I have checked with the repair place, and it was theirs. They neglected to remove it before I collected the computer, but it's not going to be effective anyway since I'm not physically connected to the workgroup at present. (It wasn't hooked up with a domain, or something like that, I think they said.) I had not experienced any problems with the computer until the intrusive file was placed in it, so I've been discounting that as a potential source of problem.
7. A few nights ago, Mum sat down at the computer. She wasn't in any chat program, no windows were open, and we had nothing like Windows Media Player going (and no music CD in the CDRom drive), and she reported hearing a musical sound coming out of the PC (not one of the Windows sounds that we use for Windows events).
My hard disk is brand new. At the time of the last computer hijack, the repair shop located problems with the hard disk and it had to be replaced. An image of the drive was made prior to this as a necessity, since the last hijacker refused me access to my CD burning software, and I couldn't back up any of my data.
Some other information which may potentially be helpful - I am connected to the internet via cable broadband. I haven't had a chance to re-connect my hardware router yet. I believe my ISP uses a dynamic address.
Also, the red hard disk light on the computer has been acting normally. During the last attack, it would go on solidly when something was dodgy, which alerted us to the problem. But we've had no problems with it this time.
When I took out that IP file, I figured that at least if there had been any other sort of remote control, at least it could maybe break their connection so that whatever code referred to sending anything to that IP would no longer have anything to send it to. Is it possible that a remote connection was established somehow at some point and maybe some of my policies, protocols, administrative rights were changed and are still in operation? I assumed that there would no longer be any sort of remote access, but find it disturbing that the moment I start going specifically to a file where I've stored security related programs, I suddenly don't have rights to access that folder. This also is consistent with the last attack on my computer. At that time, at first I couldn't download anything through IE. But then I discovered that I could do so through Firefox. Then as I was able to do that over the next few days, suddenly that was denied, etc, etc, and went on like that. This time around, we have noticed that Firefox stopped working about the same time that the intrusive file was located. Since then we've had to use IE.
We installed a trial version of Trojan Guarder Gold (I think it was called that), which is supposed to be able to pick up unknown trojans as well. It found an infection, and claimed to be able to remove it, but you can't actually remove anything with the trial version, and you have to buy the full version in order to do it.
This was what initially prompted me to post on this board, as I assumed at this point that it really was a trojan.
What file is this you mention? Is it brq.txt?
==
Go here and download then run Silent Runners.vbs. It generates a log, please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.
Yes - that was it. Inserted in the Paltalk Received Files folder in C:\Program Files\Paltalk. I managed to remove it in safe mode. It no longer exists, but funny things are still happening with the computer.
For instance, I was able to listen to one music sample at Amazon.com about 5 minutes ago. When I went to listen to a second short sample from the same album, suddenly my access rights had been revoked. Now I can no longer do this with any of them (including the first one I listened to), and this is happening frequently. If I'm able to access something once through the internet, then I find if I go to do it a second time, I suddenly get messages that either I don't have access rights or that the material simply can't be accessed. It sounds paranoid, but it's almost like my movements are monitored. This is not normal behaviour for my computer, and did not happen prior to this file being deposited on my computer.
I thought it might have been that brq worm at first, since a Google search on 'brq.txt' revealed information that this file was associated with this worm, but when I went to a site that gave manual instructions for its removal, I found that none of the files associated with the instructions were actually located on my computer, which is totally weird, because everything else seemed to fit with the description of that particular worm.
The only place I can be sure of accessing anything freely at the moment is safe mode, and I have no internet access from there. Even to install the programs you recommended meant downloading, then going into safe mode, restarting in normal windows to update the definitions, and then restarting again in safe mode in order to be sure of being able to run it. Some programs are able to run in normal Windows once I've installed them in safe mode. Others seem to be barred from running in anything but safe mode.
I do not appear to have complete administrative rights over my own computer, even in user accounts which have been granted them. The only thing I haven't checked is the internet settings in IE. Last time I was hijacked, they were changed and I was barred from changing them back. I will check to see if this is happening this time.
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PowerS" = "C:\WINDOWS\PowerS.exe" ["prolink"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"BigPondCable" = ""C:\Program Files\Telstra\Cable Login\bpcable.exe" /r" ["Telstra"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"RegistryMechanic" = "C:\Program Files\Registry Mechanic\regmech.exe /QS" ["PC Tools Research Pty Ltd"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" ["Qualcomm Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" ["Qualcomm Inc."]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Active Desktop and Wallpaper:
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Michelle\Application Data\Webshots\The Webshots Desktop\Wallpaper.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\PROGRA~1\Webshots\webshots.scr" ["Webshots.com"]
Startup items in "Michelle" & "All Users" startup folders:
C:\Documents and Settings\Michelle\Start Menu\Programs\Startup
"Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS]
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]
"Webshots" -> shortcut to: "C:\Program Files\Webshots\Launcher.exe /t" [null data]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
INFECTION WARNING! "palstart.exe" [null data]
"Remote Controller" -> shortcut to: "C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE" ["TelSignal Co., Ltd."]
"Scheduler" -> shortcut to: "C:\Program Files\Prolink\PlayTV Pro\TVSCHL.EXE" ["TelSignal Co., Ltd."]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 38 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 39 seconds.
(total run time: 156 seconds)
What bugs me is the name of the computer. Before I took it to be serviced, it was named Tricia (each of our computers are named after which of us is the primary user). The name listed here corresponds to the workgroup name that was set up with it when it was fixed. But I understood that they were supposed to use my disk image to set it up like it was before I took it there. Is this something harmless that I can just change myself? Or is it part of the problem? As I indicated, I never had problems for over a month after getting it back. Also, I have tried to remove the workgroup icons from my computer but seem to be unable to do so. I don't know whether this relates to my ignorance of networking procedures, however. If they have done something that is in any way responsible for this problem, they are going to have to rectify it, but I will need to know.
I think we should remove it.
Tell me you want to remvoe it then we will carry on
I do have a question, though. I'm pretty sure that this is Mum's chat program. It makes sense to get an infection through this, as hackers have been known to lurk around that program and deliberately infect users' computers. If we remove it and then a fresh install of the chat program is done, will the problem be gone, or will there be likely to be some hidden residue somewhere which will execute whatever code was set up?
In any case, I guess I had better remove it. How do I go about this?
The most recent HJT file is pasted below. I now have no access to the HJT folder through normal Windows, and have to go into safe mode in order to use it. Previously, I was able to use this program through normal Windows.
Logfile of HijackThis v1.99.1
Scan saved at 10:50:36 AM, on 9/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE
O4 - Global Startup: Scheduler.lnk = C:\Program Files\Prolink\PlayTV Pro\TVSCHL.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
palstart
If found, please uninstall.
==
Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first
O4 - Global Startup: palstart.exe
==
We need to do a search. Click Start > Search > All Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:
palstart.exe
If any of these files are found please delete them.
==
Reboot your computer and let me know how things are
LOCATION:199.106.211.53:5001
Does this look at all familiar in terms of computer hijacking?