| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 62868 | 2005-10-22 05:24:00 | I got sucked, Skype trojan!!!!!!!!!!!! | theother1 (3573) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 398344 | 2005-10-22 05:24:00 | Hi folks, I think I may have got sucked in by an email from "Skype" and downloaded the "new Skype 1.4". I still am having difficulty believing I was so gullible, but more importantly does anyone know of a recovery process? I have run adaware and spybot. I have windows protection and I run AVG free and Zone Alarm but as I invited this thing in I don't think that all that protection would have helped. Anyone got a clue? |
theother1 (3573) | ||
| 398345 | 2005-10-22 06:13:00 | See if Trojan remover will remove it. dl.filekicker.com It looks like it installs a few files! (I think this is what its called). securityresponse.symantec.com And then use the utilities menu in TR and select the 3rd to 7th option. And then update XP, if u use it with the link in the above Syamantec url. www.microsoft.com And disable system restore, and boot into safe mode to do the above,once u download TR. |
Speedy Gonzales (78) | ||
| 398346 | 2005-10-22 07:38:00 | Thanks Speedy, Ran the Trojan Remover and it showed no problems. Found your instructions a little confusing. Do you mean I should do all the things ou suggest or are they alternatives???? | theother1 (3573) | ||
| 398347 | 2005-10-22 07:51:00 | Umm well the Symantec site shows what it does, and the removal instructions, so u can hopefully remove it! Or try that ewido suite, thats been posted here 1000 or so times. Or post a HJT log here. We'll see what else is lurking on your system. Did u try trojan remover in normal XP and in safe mode?? And select the 3rd - 7th option under the utitiles menu? As well as disable system restore?? |
Speedy Gonzales (78) | ||
| 398348 | 2005-10-22 09:11:00 | I am not as computer literate as you so less jargon and more specific instructions would be useful for this situation. I do appreciate your help though, so don't misread my comment. | theother1 (3573) | ||
| 398349 | 2005-10-22 09:14:00 | and no I didn't run it in safe or disable system restore. Like I say, duh!!!!!!!!!!!! | theother1 (3573) | ||
| 398350 | 2005-10-22 09:26:00 | To disable system restore (if u use XP or ME), - Well dunno about Windows ME, right click on My computer on the desktop and go to the system restore tab. And tick turn off system restore. Then reboot and then press F8 down to go into safe mode. Once in safe mode, scan again with trojan remover and select the 3rd - 7th option in trojan remover..... To get hijackthis get this www.merijn.org unzip it first and put it in its own folder. Then run it do a scan, and copy and paste the log here. After u do the above, untick system restore as above. To enable it again. |
Speedy Gonzales (78) | ||
| 398351 | 2005-10-23 07:07:00 | Logfile of HijackThis v1.99.1 Scan saved at 8:03:47 p.m., on 23/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ATK0100\Hcontrol.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ASUS\ASUS Live Update\ALU.exe C:\WINDOWS\system32\sistray.EXE C:\WINDOWS\system32\khooker.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\System32\taskswitch.exe C:\WINDOWS\System32\fast.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\System32\Fast.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\RegSrvc.exe C:\WINDOWS\System32\RoamMgr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Plaxo\s37g.a03348\InstallStub.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Asus\Asus ChkMail\ChkMail.exe C:\Program Files\Asus\ASUS Hotkey\Hotkey.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\Program Files\Nikon\NkView4\NkVwMon.exe C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\1XConfig.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\WINDOWS\system32\wuauclt.exe C:\DOCUME~1\Admin\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\\s37g.a03348\InstallStub.exe -a O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe O4 - Global Startup: Hotkey.lnk = C:\Program Files\Asus\ASUS Hotkey\Hotkey.exe O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - floridakeysmedia.tv O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - download.mcafee.com O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - chat.msn.com O17 - HKLM\System\CCS\Services\Tcpip\..\{D37AB2BB-028D-4089-8DE5-B9E867809F83}: NameServer = 203.96.152.4,203.96.152.12 O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe |
theother1 (3573) | ||
| 398352 | 2005-10-23 07:47:00 | Ok . tick these entries . Tick fixed checked . Then reboot R3 - Default URLSearchHook is missing O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - . g . akamai . net/7/840/537/ . . . all/xscan53 . cab" target="_blank">a840 . g . akamai . net O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify . dl Dont know what this is . O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime Not nasty but not needed . Everything else looks OK . In ZA see if u can unblock/delete the file u allowed . For this trojan . Try Ewido as well . http://www . ewido . com Do a scan after u download/install it |
Speedy Gonzales (78) | ||
| 398353 | 2005-10-23 08:09:00 | Sorry, but where do I tick them? | theother1 (3573) | ||
| 1 2 | |||||