I'm worried... - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Nov 20^th, 2008, 7:28am

   Mischel Internet Security Forum
   Internet Security
   General (Moderators: Helena, Gavin_Coe, Magnus)
   I'm worried...

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: I'm worried... (Read 16045 times)

Untouchable J
Full Member

TH owns trojans!

Gender: male

Posts: 120

I'm worried...
« on: Aug 21^st, 2004, 5:21am »

Quote

Modify

I'm very much worried because I have a strong suspicion something is on my computer without my knowledge. I know this because one of my cc (whihc I only use online) was used for unwanted purchases. I never used that cc on any other computer except for this one. So I beg of you guys to help me out with some tips/suggestions to search for anything suspicious on my computer. My TH scans always comes clean except for NFTS Data Streams and I notice I have some more today:

>C:\WINDOWS\atmoUn.exe:SummaryInformation:$DATA
>C:\WINDOWS\atmoUn.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
>C:\WINDOWS\AU_Backup\AuBackup.ini:SummaryInformation:$DATA
>C:\WINDOWS\AU_Backup\AuBackup.ini:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d }:$DATA
>C:\WINDOWS\choice.exe:SummaryInformation:$DATA
>C:\WINDOWS\choice.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
>C:\WINDOWS\UniFish3.exe:SummaryInformation:$DATA
>C:\WINDOWS\UniFish3.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA

I wish I was a "computer expert" so I could do this on my own. Please help Sad

-J

P.S. I havent changed anything for the files above but I did check their properties. I find this very unlikely but could that be why its showing up?

« Last Edit: Aug 21^st, 2004, 5:24am by Untouchable J »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5798

Re: I'm worried...
« Reply #1 on: Aug 21^st, 2004, 6:36am »

Quote

Modify

Well, the very first thing you should do is call your CC company and ask them to close the credit card number and issue you a new credit card number. They should be very supportive of helping you do this because of the fraud potential.

Do you have a program named NSIS.EXE on your system? Search for it using Windows Explorer? If you find it, please take a look at this Symantec link concerning this keylogger:

http://securityresponse.symantec.com/avcenter/venc/data/spyware.ikiteckl .html

The reason I am asking this is because atmoUn.exe is pegged by Pest Patrol as part of keylogger spyware. However, conflicting info indicates this is actually part of Adobe software.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Untouchable J
Full Member

TH owns trojans!

Gender: male

Posts: 120

Re: I'm worried...
« Reply #2 on: Aug 21^st, 2004, 11:02am »

Quote

Modify

Thanks for the reply.

I did call my cc company and they reembursed me and also changed my number. I still worried though because the fact somebody got my cc number makes me believe something like a keylogger is on here without my knowledge (and not being detected).

I did search for "NSIS.EXE" and nothing was found. I scan my computer with TH everyday and it havent lists the ADS until I checked the properties of the files above (I was searching through my WINDOWS and SYSTEM 32 folders for anything suspicious).

What else can I do to make sure I'm clean? I scanned with Mcafee AV, couple of online AV scanners, TH, Ad-aware, & Spybot and they didnt detect anything. I also have SpywareBlaster and SpywareGuard enabled and recently started using IE Spyad.

Please help Sad

-J

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5798

Re: I'm worried...
« Reply #3 on: Aug 21^st, 2004, 12:10pm »

Quote

Modify

One way to get rid of NFTS alternate data stream is to copy the file out to a FAT32 disk and then copy it back to its original location on your NFTS hard drive.

I don't know how big these files are that you have displayed in this thread; however, if they will fit on a floppy disk that will do it. Also, if you have a ZIP drive on your system that is FAT32 that will work too.

Just go into SAFE MODE, find each one of the NFTS file using Windows Explorer, copy it, paste it onto the floppy or Zip. Then copy/paste it back to the original location, overwriting the original version. Reboot into normal mode and rescan with TH.

(Another probable way to get rid of the NFTS ADS stream is to attach the file to an email to yourself. I haven't tried this, but I suspect that ADS will get removed).

As far as finding some other element on your system that has you infected, try some other spyware programs that have free trial downloads. Here is what I recommend:

Spy Sweeper 3.0 at www.webroot.com
Pest Patrol at www.pestpatrol.com

(NOTE: Pest Patrol has an EXTENSIVE ruleset and does catch items that other spyware programs do not. HOWEVER, it is notorious for false positives. It does have a restore feature. So anything deleted can be restored. Just be cautious with this one. I have both of these programs on my system, so I can possibly assist you further on these if you elect to try them.)

I assume you have upgraded to the new SE version of AdAware that just came out last week. If not, you should do so. However, I don't think the new version will "catch" anything different than the V6.181. But it's worth the upgrade to verify this just in case. The new version does scan more files than V6.181. So it's a possibility.

The only other Trojan scanners worth their salt are BOCLEAN and TDS-3. TDS-3 does have a trial version which can be downloaded at www.diamondcs.com.au. It doesn't look like BOCLEAN has a trial version.

Post back here when you need to. HTHs

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Randy_Bell
Global Moderator

TrojanHunter is the Best!

Gender:

Posts: 2883

Re: I'm worried...
« Reply #4 on: Aug 21^st, 2004, 2:08pm »

Quote

Modify

on Aug 21^st, 2004, 12:10pm, siliconman01 wrote:

I assume you have upgraded to the new SE version of AdAware that just came out last week. �If not, you should do so. �However, I don't think the new version will "catch" anything different than the V6.181. �But it's worth the upgrade to verify this just in case. �The new version does scan more files than V6.181. �So it's a possibility.

The new AdAware SE is updated more often, and the old v6.181 will soon be phased out {in less than 90 days}, so you should definitely upgrade. The AdAware SE installation will detect your old v6.181 and uninstall it for you, so no need to do the uninstall of v6.181 yourself. I do get impression that AdAware SE has substantial improvements and will detect more that the old v6.181; seems that way to me, after running SE myself. Wink

IP Logged

Untouchable J
Full Member

TH owns trojans!

Gender: male

Posts: 120

Re: I'm worried...
« Reply #5 on: Aug 22^nd, 2004, 10:30am »

Quote

Modify

Good Morning,

Thank You for the replies.

Yes, I've updated to Ad-aware SE Personal Build 1.03 and have been using it since the release. Grin

The files with the ADS's equals to about 101.6KB so I shouldnt have problems using a floppy. I plan to pick up some new FD's tomorrow the I'll follow your instructions.

I downloaded and scanned with the free trial of Spysweeper and it detected these:

Alexa Toolbar:
-(Registry Entry)HKEY_CURRENT_USER\software\microsoft\internet explorer\extensions\cdmapping ll {c95fe080-8f5d-11d2-a20b-00aa003c157a}
-(Registry Entry)HKEY_USERS\WRSS_Profile_Administrator\software...(continues with the same as first entry)
-(Registry Entry)HKEY_USERS\WRSS_Profile_Default User\software...(continues)
-(Registry Entry)HKEY_USERS\WRSS_Profile-xxxxxx\software...(continues)

SearchIt Toolbar:
-(Registry Entry)HKEY_CLASSES_ROOT\interface\{cabbb49a-4d7b-415b-8250-15c3b854e9ff}
-(Same as first entry) \proxystubclsid
-(Same as first entry) \proxystubclsid32
-(Same as first entry) \typelib
-(Same as first entry) ll(-default-)
-(Same as first entry) \proxystubclsid ll(-default-)
-(Same as first entry) \proxystubclsid32 ll(-default-)
-(Same as first entry) \typelib ll(-default-)
-(Same as first entry) \typelib ll version

The rest were cookies. I also ran the free trial of PestPatrol and it detected 94 pests (whoa) which is too much to lists here. Is there a way I could send somebody the logfile(I see theres no way to attach a file in the forum)?? The reason I'm listing these are because I cant tell if its Fp's or indeed legit malware. I wouldnt want to remove anything before having an expert opinion. I also tried TDS-3 free trial which gave me the message "Thanks for evaluating TDS-3". I dont remember trying out TDS and they wouldnt answer my e-mails Angry

. I sent another e-mail today.

I'm sorry if I'm asking too much (if i am please tell me). I'm just not a "computer expert" which force me to look for help Sad

.

-J

P.S. I should also point out that I'm currently still trying to figure out this about:blank problem with IE. When I close IE it would redirect to about:blank before closing.

IP Logged

Randy_Bell
Global Moderator

TrojanHunter is the Best!

Gender:

Posts: 2883

Re: I'm worried...
« Reply #6 on: Aug 22^nd, 2004, 11:13am »

Quote

Modify

I would be careful with PestPatrol were I you, they are notorious for false positives .. Wink

IP Logged

Randy_Bell
Global Moderator

TrojanHunter is the Best!

Gender:

Posts: 2883

Re: I'm worried...
« Reply #7 on: Aug 22^nd, 2004, 11:15am »

Quote

Modify

on Aug 22^nd, 2004, 10:30am, Jrshaw62 wrote:

P.S. I should also point out that I'm currently still trying to figure out this about:blank problem with IE. When I close IE it would redirect to about:blank before closing.

That about:blank problem can be a hijacker, even the dreaded CoolWebSearch; suggest you post your HJT logs here in Trojans forum or over on Computer Cops, SpywareInfo, or DSLReports to get Expert Help. Wink

IP Logged

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: I'm worried...
« Reply #8 on: Aug 22^nd, 2004, 11:54am »

Quote

Modify

There is a possibility that someone has hacked one of the servers where your credit card data was stored after purchase. These kind of servers are popular among hackers since in one hack they can get access to thousands of credit card numbers, often with full address information and credit card verification number. I'd say it's much more likely that this is the case than someone hacking your computer.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5798

Re: I'm worried...
« Reply #9 on: Aug 22^nd, 2004, 12:57pm »

Quote

Modify

I agree with what Magnus says on the server/cc possibility as compared to your own system being cracked. Sad

However, it does sound like you are significantly infected with potentially malicious things.

I suggest the following:

1. Empty your C:\Windows\Temp folder.

2. Empty your Temporary Internet Files and cookie folders.

3. Manually create a system Restore Point and write down the time and date of this specific Restore Point so that you can locate it if necessary. Granted it will be infected, but it gives you a "start over" place if needed.

4. Open Spy Sweeper and click on the "About" icon on the right. This shows the latest spyware definitions which is 387. If you need to update to 387, click on the Options icon and select the update definitions option. You have to be signed on the Internet obviously. Also it may take several attempts to get the update because Webroot has a remote spyware scanning feature for users which does make their server very busy.

5. Then scan with Spy Sweeper and let it remove the cookies it finds, Alexa and SearchIt toolbar. Test your Internet Explorer afterwards and make sure it is working. You can restore Spy Sweeper deletions by selected the Quarantine icon in Spy Sweeper. Run Spy Sweeper again and see if it shows up anything new.

6. Run HiJackThis V1.98.2 and post its log here on this thread for us to look at. I agree with Randy that it may help show up that something such as CoolWebsearch is on your system. And it may take going over to ComputerCops or DSLReports to get things resolved on the HiJackThis log. But lets see it here first.

7. When you run AdAware6 SE, is it only identifying items that are assoicated with the about:blank problem?

8. Check your PM concerning the Pest Patrol Log file.

We'll keep pluggin' away to try to assist you. Wink

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Untouchable J
Full Member

TH owns trojans!

Gender: male

Posts: 120

Re: I'm worried...
« Reply #10 on: Aug 22^nd, 2004, 4:20pm »

Quote

Modify

Thanks again for the replies.

I followed your instructions to first create a restore point (it was weird to find out it was disabled Huh

). Then I marked and removed the Alexa and SearchIt entries with Spysweeper. Then I reboot and played around with IE for a while. Everything is working fine except one minor thing with my AOL toolbar (the drop down arrow options wont work). This minor feature I dont use, so it dosent matter to me.

I did post my HJT logfile at Lavasoft forums for review and described my about:blank problem I'm having. They said they could find anything wrong with my log but advised me to remove :

09-Extra button: (no name)-{08B0E5C0-4FCB-11CF-AAA5-0041C608501}-(no file)
09-Extra button: (no name)- {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C}-(no file)

I found out that these were the Mcafee AV and Sun Java button under Tools. I have the entries sitting in backup. When I run Ad-aware it reports that I'm clean (except for some MRU's).

I guess if a hacker got my information off the servers then its out of my control Sad

-J

EDIT: Is it possible for me to send you my HJT log because its too long for the forums.

« Last Edit: Aug 22^nd, 2004, 4:29pm by Untouchable J »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5798

Re: I'm worried...
« Reply #11 on: Aug 22^nd, 2004, 4:28pm »

Quote

Modify

Well, you took the right action by contacting your CC company for sure Wink

Another possibility on this: Did you happen to get an email that wanted you to update your credit card data or re-enter info? If so, you may have been phished. Just a thought.

Be sure to update your AdAware to today's new update for definitions... a lot of new entries.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5798

Re: I'm worried...
« Reply #12 on: Aug 22^nd, 2004, 4:39pm »

Quote

Modify

Quote:

EDIT: Is it possible for me to send you my HJT log because its too long for the forums.

Yes, send it via the email address in your PM

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5798

Re: I'm worried...
« Reply #13 on: Aug 22^nd, 2004, 4:43pm »

Quote

Modify

And a "Just my opinion" comment about AdAware SE.

I urge you to consider purchasing AdAware SE Plus or Pro (Plus is adequate for most home users). �

Why? �Because you then get AdWatch which a realtime monitor and blocker. �It blocks tracking cookies and other malicious elements as they occur. �When you just have the scanning feature, everything is after the fact and significant damage could already be done. �

« Last Edit: Aug 22^nd, 2004, 6:08pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5798

Re: I'm worried...
« Reply #14 on: Aug 22^nd, 2004, 4:59pm »

Quote

Modify

Here is a thread on ComputerCops which appears to be successfully removing About:Blank. Certainly worth a shot.

http://computercops.biz/postp217898.html

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Pages: 1 2

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register