Appreciate help with HJT log

Unknown

Hi, I think I was infected with a backdoor.irc and have spent a few days trying to clean up my system. If someone could please look over my log and offer any additional help that would be great! Thanks for any and all help.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:18:49 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\sarHiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.news.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.news..google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.news.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.news.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.news.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.news.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.news.google.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

--
End of file - 4349 bytes

Process list saved on 4:14:50 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
416 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
488 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
532 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
544 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
704 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
864 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
928 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1020 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1096 C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe 7.5.0.445 GRISOFT, s.r.o.
1188 C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe 7.5.0.420 GRISOFT, s.r.o.
1212 C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe 7.5.0.442 GRISOFT, s.r.o.
1284 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1300 C:\Program Files\UPHClean\uphclean.exe 1.6.30.0 Microsoft Corporation
1368 C:\WINDOWS\System32\wbem\wmiapsrv.exe 5.1.2600.2180 Microsoft Corporation
1564 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1800 C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe 7.5.0.438 GRISOFT, s.r.o.
1812 C:\WINDOWS\SOUNDMAN.EXE 5.1.0.58 Realtek Semiconductor Corp.
1820 C:\WINDOWS\system32\imapi.exe 5.1.2600.2180 Microsoft Corporation
1880 C:\WINDOWS\vVX6000.exe 1.0.5.6 Microsoft Corporation

1900 C:\Program Files\Microsoft IntelliType Pro\itype.exe 6.10.156.0 Microsoft Corporation
1920 C:\WINDOWS\system32\hkcmd.exe 3.0.0.4396 Intel Corporation
2016 C:\Program Files\Logitech\SetPoint\KEM.exe 2.11.459.0 Logitech Inc.
136 C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE 2.11.427.0 Logitech Inc.
1172 C:\Program Files\Windows Defender\MsMpEng.exe 1.1.1593.0 Microsoft Corporation
888 C:\Program Files\Windows Defender\MSASCui.exe 1.1.1593.0 Microsoft Corporation
1268 C:\Program Files\Mozilla Firefox\firefox.exe 1.8.20070.31202 Mozilla Corporation
3332 C:\WINDOWS\system32\notepad.exe 5.1.2600.2180 Microsoft Corporation
2376 C:\Program Files\sarHiJackThis_v2.exe 2.0.0.0 Trend Micro Inc.
2136 C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.2180 Microsoft Corporation

Volume in drive C has no label.
Volume Serial Number is C8FE-62A7

Directory of c:\WINDOWS\Prefetch

03/31/2007 04:31 PM 19,914 RUNDLL32.EXE-17D51176.pf
1 File(s) 19,914 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

02/14/2007 04:40 PM 33,280 rundll32.exe
1 File(s) 33,280 bytes

Directory of c:\WINDOWS\system32

08/04/2004 02:56 AM 33,280 rundll32.exe
1 File(s) 33,280 bytes

Directory of c:\WINDOWS\system32\dllcache

08/04/2004 02:56 AM 33,280 rundll32.exe
1 File(s) 33,280 bytes

Total Files Listed:
4 File(s) 119,754 bytes
0 Dir(s) 113,854,103,552 bytes free

IndigoRed

Hi Indigo, nice name!

2 things: read these posts and follow the second one. The first mentions not using HJT 2.0... have a read.

When you do these, there'll be a pro-expert that'll perform magic before your very eyes!

Cheers,

IndigoRed

http://www.short-media.com/forum/showthread.php?t=55221

http://www.short-media.com/forum/showthread.php?t=43902

indigo

Hi, thanks for any and all help. Here is the new log with the previous version of HJT. I'm still working on the other things in the list. I just cleaned most of these downloads off my system but if this helps I'm willing. Again thanks so much for taking the time to read the info!

Logfile of HijackThis v1.99.1
Scan saved at 6:51:39 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.news.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.news..google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.news.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.news.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.news.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.news.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.news.google.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

indigo

Hi IndigoRed!

I just wanted to post additional information. I had run the Panda scan about 2 hours ago and it came back clean, there was no option to copy a report with a clean scan. I'm running the BidDefender right now on the windows computer. I'm a uni-mac user. The BD is going to take a bit so when I get that done and if anything comes up I will add to posts thus far.

On a personal note my son is a blazing red head, so loving your name big time.

thanks again for your help
indigo

indigo

here is a copy of the BitDefender Scan. [General] App = "BitDefender Online Scanner v8" Date = 31:03:2007 Time = 19:45:58 Scan Path = A:\;C:\;D:\;E:\; [Engines Info] Virus Definitions = 411417 Engine build = "AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)" Scan plugins = 14 Archive plugins = 38 Unpack plugins = 6 E-mail plugins = 6 System plugins = 1 [Scan Statistics] Folders = 3393 Files = 104064 Archives = 1477 Packed files = 5481 Identified viruses = 0 Infected files = 0 Warnings = 0 Suspect files = 0 Disinfected files = 0 Deleted files = 0 Copied files = 0 Moved files = 0 Renamed files = 0 I/O Errors = 32 [Scan Settings] SecondAction = Delete FirstAction = Disinfect Heuristics = 1 Enable Warnings = 1 Exclude Ext = Extensions = *; Scan Emails = 1 Scan Archives = 1 Scan Packed = 1 Scan Files = 1 Scan Boot = 1 Verify Memory = 0 [Scan Results] Line00000000 = "No problems found."

indigo

Hi all,

Well I think I'm ok, still not sure about a possible hard to find Rundll hijack, but I did take these steps.

Ran Hijack this - uninstalled the 2.0 version / reinstalled the 1.9 version
I have AVG
Windows Defender
Spywareblaster
RegSeeker

Ran 3 root kit programs / BlackIce, Sophos, and Gmer
Ran Online Scan's / Panda, BitDefender
Did the Rundll.cmd script which appears ok ?

The only things I didn't do was download Ad-Aware & Spybot,
I have had both these programs on my system in the past and have made the personal decision not to re-install them. Sorry that I am not following your suggested guidelines for these two programs, which are great programs but I have concerns and issues with both of them.

If there is anything in my logs that raise a red flag to your eyes, please let me know.

Thank you for any and all help
Rainna

IndigoRed

Hi Indigo,
Don't know what your issues are with Spybot and Ad-aware, but both are excellent programs. Maybe install and run them; get the log, and delete them after working through your issues? I can't see any bugs with the reports you've submitted, although better ppl than I may spot something... What brought you to think you had a backdoor virus? Was it removed by AVG?

BTW, I tried the new Ad-aware beta and found it very resource heavy. Don't bother with it yet.

Cheers to you and the little red headed kid...

IndigoRed

indigo

IndigoRed wrote:

Hi Indigo,
Don't know what your issues are with Spybot and Ad-aware, but both are excellent programs. Maybe install and run them; get the log, and delete them after working through your issues? I can't see any bugs with the reports you've submitted, although better ppl than I may spot something... What brought you to think you had a backdoor virus? Was it removed by AVG?

BTW, I tried the new Ad-aware beta and found it very resource heavy. Don't bother with it yet.

Cheers to you and the little red headed kid...

IndigoRed

indigo

Hi IndigoRed,
Thanks for the reply, lets see to begin with I stated to suspect of a backdoor.irc due to some random issues with my keyboard, mouse, and system. In the past I had a local neighborhood boy hack into my bandwidth and went off of wireless, with added security on my d-link router...that was a learning curve! Since then I have become much more cautious about sudden quirks and I was having quite a few of them. So I did the best I could on cleaning and found hidden on my system backdoor/trojan and trogan, a keylogger, and something else (head has been spinning due to age constraints, lol) I also found out that two of my family members had the same issue and we were all using AIM, and Windows Live Messenger. I beleive that the nastie came from AIM, but not certain. Also did alot of searching on things to look for and what to do. Ran several different programs and discovered with CWShredder through running the report scan that there were two things being blocked.
Nothing else run showed anything, and I ran lots of different scan's via the internet. Everything came up clean, but with RegSeeker I found the backdoors, keyloggers, etc... hidden in a #,#, pci-ven something like that. I was also playing around with a linux distro via a virtual machine, and had done some downloads from bittorrants sites......all has been deleted and back to win xp pro am I. Just plain windows wipped am I.
Yesterday after doing what I thought would be my final clean, when I rebooted my system came back up as if it was started for the first time. I assume (?) that one of the many files I deleted had something locked to my profile, and though ok well this is going to be alright. Had come to the decision to re-load a clean install anyways, but the system did this for me. I continue to scratch my head on that one. Oh and another key point with this was the deletion of my financial program, there was indeed a keylogger on my system and I believe this was the whole purpose of the nasty. I also was deep into my security settings for my system and things had been changed to "share" which was a big surprise to me as in the past all shares had been disabled in Local Security Policy's, and special permissions had been set where none were in the past......another clue to a hack.
Thanks so much for all your time and help, but for now I think things are better. System is running great again and all the scans are coming back clean, not that this is inclusive as I have discovered. But if I have any concerns I will just do a clean install and forgo all this stuff.

By the way my little red headed kid is 26 with a little one of his own.......we just became 1st time grandparents in November and he is a joy!

Again thanks so much for all you help and please excuse any spelling errors as I just suck at spelling!

Indigo

indigo

Hi I wanted to come back and tell you what the name of the virus was that I had, and will be doing much follow up to verify that I'm clean. It's been around awhile and it locks on to your browser. Many reports are out there that they typical set of software to find this thing aren't working. I'm not trying to sound negative here, but it is good to know that after many efforts of trying to remove this thing, that I wasn't going nuts after all!
Here are two links for some good information on it and I hope it is helpful to others like myself.

http://kb.mozillazine.org/Firefox.exe_always_open

http://kb.mozillazine.org/Firefox.exe_always_open#Removal

Hope this is helpful and again thanks for all your time and effort.

Indigo

IndigoRed

Hi Indigo,
I'm worried and I'm giving a call for one of the site gurus to come on board. Here's why:
1. I have never heard of any version of Windows doing a clean install by itself. You have to instigate this. More like It's created a new user profile if the other one was damaged. Not the same thing! If you had bugs there, they're still there.
2. That Backdoor has left you vulnerable to attack from an outside source. Do you do any financial transactions on that machine or other sensitive activity? You may very well be compromised. You need to contact any and all financial and other institutions and inform them that your security may have been compromised. Changes of Identity account numbers and passwords will be in order as well as whatever activity is recommended by the institute concerned. And WHATEVER YOU DO don't use the pc again until your problems are resolved!

IndigoRed

To help who ever jumps in, to give them a head start, rename "HijackThis" to "Scanner" and run it again. Save the log and re-post it here.
Also, you didn't mention what your concerns were with Ad-aware and Spybot?

Cheers mate.

indigo

Hi, thank you so much for your concern and I do appreciate it very much. I had my financial program on my system but only used it for the check register. I have never used it for any type of online banking, and I also NEVER had any account numbers listed in it. Everything in the banking account was extremely generic with references to payments made. Things like checking account, savings account, salary account, credit card account, all things listed in such a manor. I did at one time do online buying and had set up a savings account with a different bank and kept only a minimal balance in it and when I wanted to purchase anything online I went and put the $ in just to cover the purchase. That account was closed 2 years ago and it was not our main banking account.

We are also part of the Wisconsin mess with the social security numbers being printed on our tax forms that were mailed to us. Not sure if you heard about this or not but a huge printing error was done in Wisconsin and the FBI are investigating the printing company. Due to this mess we do have "People" and "Protection" measures in place that have locked down our financials. Not only via the Federal Government but with the 4 major, (trans union, etc....)
and with a company set up by our bank. All new account cards, etc.......were changed already for added protection. I thank you for your welcomed concern but I have all my credit reports, and feel better about the added protection on us right now as we were part of the mix-up. We were sent a letter from the IRS informing us of the steps needed, and have done them.

Yes I was shocked to see a "new profile" made after deleting so much in the registry. Yesterday I spent most of the day going through all the programs, profiles, and changed the security levels on the new profile. I also found the old profile listed under it's own folder in doc's and settings. I changed the security permissions on everything in there, (yes I had my router, modem, unplugged) and went about deleting it. Yes there were several stop gaps in these files and folders, and I lost all my precious grandson's pics.
Then I went and deleted many programs for a clean install of them when I did get backonline. I also went through every permission on the new profile and changed things in these. Had a bit of trouble with somethings that were marked for "Sharing" but spent alot of time in my group policy settings, services, etc.....to try and clean this thing up. All the .exe's are scanned via "Jotti" and oh I foget the name of the other one. While offline I put in a firewall which warned me when I found my old "Firefox" profile, which lead me to the info from the links I posted eariler. This thing has been around awhile and it's got it's own stealth mode of hiding. Like the information states, many of the known "find me" programs out there are not catching this one. Including Hijack This, along with several online scanners. Others who have been through this beast have it well documented once a person knows what they are looking for. Even a clean install isn't enough to protect someone as this is documented by others much more experienced then myself.

I added this information for all the people to check, the forum boards are just full of problems as this one is very bad. Since I have deleted the "Old" profile, and anything associated with it, my system is doing better. This is not to say I'm out of the woods by any matter! But no longer am I having mouse problems, loading problems, etc... and the firewall seems to be doing a great job (Comondo) so far, but again that's not to say all is clean with me yet. I also spend a lot of time in regedit and when I find something unknown I go into search mode to verify if it's legit or not.

Spybot and Adaware are two programs that are Not catching this one. I have had trouble in the past uninstalling both these programs which I feel are "bloated" and tea timer can be cause additional problems. It's just my personal feelings. I don't assume to impose my choice on anyone else and there are lots of folks who have had very good results with both programs, I'm not one of them

I having an extensive script written for me from a family member who works for the pentagon and will be importing that into my system when and if I get this thing cleaned out, or if I do a clean install of my win xp pro. If a clean install is done then I will also do a security wipe (takes all night) first.

Right now I'm working to try and find out as much information as possible for the script.

I wanted to inform anyone else out there who may have had any of the same issue's as myself with a system booting to a new profile. And yes this was a shock to me as well!

Hope this added information is helpful, but it seems this thing has many places to hide as you can see from the links I posted above.

Thank you once again for all your help.

Indigo

indigo

Just to let you know I'm going out of town for a week to 10 days tomorrow or Friday. My dad is having surgery and I will be assisting in his care and recovery.

I only share this with you because I may not be able to respond to any questions during this time.

I also have to take a look at my hubby's system, daughters system, and my Mac when I return. I have several family/friends calling me with there computer problems and getting the script done is paramount, but all has to be on hold until my dad's recovery.

Thank you again.
Indio

Trogan

Hi Indigo,

IndigoRed has given you some good advice. Your HijackThis log is clean and does not show any sign of infection.

This advice from IndigoRed is excellent:

That Backdoor has left you vulnerable to attack from an outside source. Do you do any financial transactions on that machine or other sensitive activity? You may very well be compromised. You need to contact any and all financial and other institutions and inform them that your security may have been compromised. Changes of Identity account numbers and passwords will be in order as well as whatever activity is recommended by the institute concerned. And WHATEVER YOU DO don't use the pc again until your problems are resolved!

If you are certain there was a Backdoor that is now gone, you should look to do the above.

indigo

Hi all, and once again Thank You for all your help. I returned home and wasn't able to even load my win xp pro system. I assume that it wasn't clean after all and have just finished re-loading my operating system. It's not online yet as I'm loading my anti-virus and other programs. I wanted to touch base and again thank everyone everyone for all there time and help, especially IndigoRed!

I hope the information that was gathered here will be of some help to others.

Take Care
Indigo