What the f*ck?

[Barbaneez]

...

Edited December 15, 2008 by Barbaneez

[Bizzare]

Leave that radiating pile of metal in the corner online for 24 hours a day and your gonna get hacked. Explanations im afraid dont need to be complex.

[Barbaneez]

...

Edited December 15, 2008 by Barbaneez

[Lawley]

start your computer up in safemode and run your virus/adware scanners there.

[Barbaneez]

...

Edited December 15, 2008 by Barbaneez

[Hunter¥]

I believe you hold ctrl when starting up.

 

You know, I really hope the people who do this kind of thing get alot of happiness out of it. Because the internet is alot more frustrating than it has to be because of this crap.

 

Do you have any anti-virus/hack/spyware installed and running?

[Barbaneez]

...

Edited December 15, 2008 by Barbaneez

[matthew1g]

do u have a firewall?

 

leave it to stealth mode when you're gone

[Barbaneez]

...

Edited December 15, 2008 by Barbaneez

[Hunter¥]

I think you can only get Zone Alarm Pro as a trail. I don't think you need Pro anyway if you just want a firewall. Pro is the firewall with a spamblocker, anti-virus, and a bunch of other bells & whissles. Basic Zone Alarm is avaliable for free at Zonelabs.com

[Waste]

You got hacked, simple as that.

Not a smart move to leave a comp on 24/7 without a firewall.

If you don't get a firewall it will happen again and again.

To start up in safe mode, press F8 before the windows loading screen pops up.

[SteakPhish]

IE - Firewall = RAPE

[SMG]

There are three main things that you should do to prevent being hacked:

•Use a firewall, ZoneAlarm is good, but I recommend Windows Firewall that it built into Windows XP SP2.

•Security Updates, Have Automatic Updates enabled and go to Windows Update (now called Microsoft Update) often, make sure that you have Service Pack 2 especially. You can also use Autopatcher XP to download all the updates and burn to CD instead of having to update again everytime you format. Also update your Antivirus, Antispyware, and browser regularly.

•Antivirus. Norton and Mcafee arn't very good anymore, Try PC-Cillin, NOD32, F-Secure, Panda, AVG(Free) or eTrust. My favourite is Symantec Antivirus (Same company as Norton, but not bloated).

 

Other things you can do:

•AntiSpyware. More useful once you actually get Spyware, but I think that these days it would be just as important as Antivirus. Get one that stays resident in memory (Auto-protect). I havn't used many Anti-spyware products, but I know that Microsoft Anti-spyware(Free) does this.

•Use an alternative browser such as Firefox or Opera. It might take a little getting used to from your browsing habits with Internet Explorer at first, and as it gets more popular, Spyware vendors might target alternative browsers... But at the moment, Firefox and Opera are the most secure browsers and the fact is that there is no Spyware written for them at the moment.

 

As far as fixing your problem:

•First remove any viruses/trojans. You can remove all the Spyware you can, but one of these will keep downloading it again so it magically comes back. Try doing one online at http://housecall.trendmicro.com/ or http://security.symantec.com/

•You can boot into safemode by tapping F8 until you get a Windows Boot Menu immediately after you see your computer's POST screen. Once you see the Windows Startup logo, you know that you've missed it, reboot and try again sooner.

•Of your list, the following processes sound like spyware:

apisvc.exe

apisvc.exe

casclient.exe

ccEvtMgr.exe (Norton... If you have it installed)

exp.exe

gms2.exe

InSearch.exe

kqunr.exe

medgs1.exe

MediaAccess.exe

MediaAccK.exe

Navapsvc.exe (Norton... If you have it installed)

salm.exe

sav2.exe

ScreenshotUtility.exe

wwSecure.exe

•Sometimes the best way to remove spyware is to go into the Add/Remove programs and uninstall. The usually try and make it tricky by giving you a brain teaser before you can uninstall (so they know you are uninstalling instead of an Antispyware program), But it works.

•Go Start > Run... > Type MSCONFIG > Press Enter/OK.

Click the Startup Tab.

You shouldn't need anything ticked except for your Norton, Antispyware and NVIDIA drivers. If something stops working (ie: Hotkeys on your keyboard) then you can go back in later and try to reenable a process.

 

You will need to reboot for the changes in MSCONFIG to work, and when you've enabled/disabled all the processes you want, Tick the box on next startup to tell it to go away.

•Go into Internet Explorer, Go to Tools > Manage Add-ons... (you need Service Pack 2 for this), and then switch everything to disabled (except possibly Sun Java, Macromedia Flash, and Windows/Microsoft Update)

[segosa]

Post your HijackThis log.

[Wolf68k]

I hope no one minds me chiming in here and going back voer things that may have already been said.

First the easy ones...

STOP USE IE!!!! Seriously, use Firefox or if you must have something that is more IE like, there is Maxthon and I think Avant is as well but even if it ain't it's still said to be a good browser.

 

And for SafeMode it's F8 on most mobos and BIOS

 

 

Firewall

Forget ZoneAlarm, not even with the Pro. However Kerio Personal Firewall is good and free for personal use, although it's reported that they will discontinue it at the end of the year.

Windows XP firewall is good as a NAT firewall, but your spyware problem won't be stopped by that. However SpywareBlaster can stop most of them.

 

 

AntiVirus and anti-spyware

I've already listed SpywareBlaster

Get Ad-Aware and Spybot as well....I'm not going to link them, that's what the "Read Before Posting" topic is for and it has them as well, you can also find some antivirus programs there as well.

AVG, AntiVir and NOD32 are also free and said to be good choices.

AVG is free but limited yet it can check emails but it's slow at checking them

AntiVir is fast but it cannot check emails

NOD32 I honestly don't know much about

 

 

Your list of running processes:

apisvc.exe - TROJAN

casclient.exe - ADWARE

exp.exe - TROJAN

gms2.exe - ADWARE

InSearch.exe - not 100% sure but I'll bet it's ADWARE

kqunr.exe - not 100% sure but I'll bet it's ADWARE

medgs1.exe - MALWARE which is a combonation of Trojan and Adware

MediaAccess.exe - ADWARE

MediaAccK.exe - ADWARE

salm.exe - ADWARE

ScreenshotUtility.exe - ADWARE despite what the name says I don't trust it unless someone can prove me other wise

 

wwSecure.exe - WebRoot Window Washer "Wash away all traces of your PC and Internet activity and improve system performance"- Fat lot of good that it you. Maybe you need to change the water in the wash.

 

 

 

Boot into SafeMode

Run your anti-virus full system scan, deep scan if the choice is there....go have some cake or a cookie while it works it'll take a good while

Run Ad-Aware, full deep scan...go jog around the block to work off the cake you just ate because this too while take away

Run Spybot, this won't take so long so just sit back with the comics section of the newspaper

Run HijackThis and save the log to file, come back here and copy&paste the log here.

HEADS UP!!! Even after all of this cleaning, even if you run each one 3 or 4 times until they turn nothing up, when you restart back into normal mode so you can paste your log here you might have to go back into SafeMode again and run the scans again because there are things that no one but HijackThis can see but it can't tell you exactly which ones are good or bad.

[Knightmare]

Update Ad-Aware and Spybot S&D before you run in safe mode, and you might as well download Microsofts Anti-Spyware beta program, it worked like a charm and cleared out some things that were blocking Spybot and AdAware on my coworker's PC.

 

Once everythings updated, restart and press F8 repeatedly to start Safe Mode, otherwise just open up MSConfig and check off /SAFEMODE in the boot options.

 

Restart in safe mode, and run all of the scanners you have.

 

Report back with problems you're having.

[anus]

Woah. That looks pretty bad. I've got nothing to say the others haven't said.

 

But I don't trust SpyareBlaster though. I once had it all updated and stuff and everytime I do a scan, there are loads of spyware, etc. SpywareBlaster isn't worth the download, to me it blocks about 25% of the spyware attacks, the others get in easily.

 

I use AVG Free, Spybot, Ad-Aware and Zone Alarm and also Jetico Personal Firewall. It's a great programme. I have it and I'm really satisfied with it, it's free too. I also use Prevx, Prevx is awesome imo. No other word for it, great firewall, it's also free.

 

 

[Svip]

And for SafeMode it's F8 on most mobos and BIOS

It actually depends on the version of your Windows. It has nothing, what soever to do with your BIOS or Motherboard, as Windows is already booted and good to go.

 

But barb, why did you think that leaving IE on Yahoo! would be a good thing? My friend, use Google and Firefox.

[Wolf68k]

My bad, I was helping someone on voice chat as I was typing that was trying to get into his BIOS on another machine....so that explains why I don't him that it depended on the version of Windows he was using.

[matthew1g]

service pack 3 is out download it from microsoft site

[Barbaneez]

...

Edited December 15, 2008 by Barbaneez

[PresidentKiller]

You still have some nasty stuff in there. IE's been hijacked and so is your HOSTS file (that's why Google's giving you weird results).

 

wolf68k is the master when it comes to identifying threats on HijackThis logs, so I'll leave that task to him.

 

After you've gotten rid of all the nasty stuff, take a look at this site to tweak your HOSTS file so you can block nasty things/sites with it:

http://www.mvps.org/winhelp2002/hosts.htm

 

 

•Use a firewall, ZoneAlarm is good, but I recommend Windows Firewall that it built into Windows XP SP2.

•Antivirus. Norton and Mcafee arn't very good anymore, Try PC-Cillin, NOD32, F-Secure, Panda, AVG(Free) or eTrust. My favourite is Symantec Antivirus (Same company as Norton, but not bloated).

 

Windows Firewall is good when you don't want trojans or strange things to get into your computer. It fails if you have some kind of spyware or virus that's sending information from your computer.

 

McAfee VirusScan is a pretty good antivirus, I use it and I have never had any problems with it. It's not a resource hog and doesn't take over your computer like Norton does.

[segosa]

Remove this by killing the process and finding the file and deleting it:

C:\WINDOWS\etb\pokapoka65.exe

 

Remove these by placing a check by them and clicking 'fix':

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clickhere4search.com/sp2.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.clickhere4search.com/sp2.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.clickhere4search.com/sp2.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.clickhere4search.com/sp2.php

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.31.81.22 www.google.ae

O1 - Hosts: 69.31.81.22 www.google.am

O1 - Hosts: 69.31.81.22 www.google.as

O1 - Hosts: 69.31.81.22 www.google.az

O1 - Hosts: 69.31.81.22 www.google.bi

O1 - Hosts: 69.31.81.22 www.google.cd

O1 - Hosts: 69.31.81.22 www.google.cg

O1 - Hosts: 69.31.81.22 www.google.ci

O1 - Hosts: 69.31.81.22 www.google.cl

O1 - Hosts: 69.31.81.22 www.google.co.cr

O1 - Hosts: 69.31.81.22 www.google.co.hu

O1 - Hosts: 69.31.81.22 www.google.co.in

O1 - Hosts: 69.31.81.22 www.google.co.je

O1 - Hosts: 69.31.81.22 www.google.co.ke

O1 - Hosts: 69.31.81.22 www.google.co.ls

O1 - Hosts: 69.31.81.22 www.google.co.ug

O1 - Hosts: 69.31.81.22 www.google.co.ve

O1 - Hosts: 69.31.81.22 www.google.com.ag

O1 - Hosts: 69.31.81.22 www.google.com.ar

O1 - Hosts: 69.31.81.22 www.google.com.br

O1 - Hosts: 69.31.81.22 www.google.com.co

O1 - Hosts: 69.31.81.22 www.google.com.cu

O1 - Hosts: 69.31.81.22 www.google.com.do

O1 - Hosts: 69.31.81.22 www.google.com.ec

O1 - Hosts: 69.31.81.22 www.google.com.fj

O1 - Hosts: 69.31.81.22 www.google.com.gi

O1 - Hosts: 69.31.81.22 www.google.com.gt

O1 - Hosts: 69.31.81.22 www.google.com.ly

O1 - Hosts: 69.31.81.22 www.google.com.mt

O1 - Hosts: 69.31.81.22 www.google.com.my

O1 - Hosts: 69.31.81.22 www.google.com.na

O1 - Hosts: 69.31.81.22 www.google.com.nf

O1 - Hosts: 69.31.81.22 www.google.com.ni

O1 - Hosts: 69.31.81.22 www.google.com.np

O1 - Hosts: 69.31.81.22 www.google.com.pa

O1 - Hosts: 69.31.81.22 www.google.com.pe

O1 - Hosts: 69.31.81.22 www.google.com.ph

O1 - Hosts: 69.31.81.22 www.google.com.pk

O1 - Hosts: 69.31.81.22 www.google.com.pr

O1 - Hosts: 69.31.81.22 www.google.com.py

O1 - Hosts: 69.31.81.22 www.google.com.sa

O1 - Hosts: 69.31.81.22 www.google.com.sv

O1 - Hosts: 69.31.81.22 www.google.com.ua

O1 - Hosts: 69.31.81.22 www.google.com.uy

O1 - Hosts: 69.31.81.22 www.google.com.vc

O1 - Hosts: 69.31.81.22 www.google.com.vn

O1 - Hosts: 69.31.81.22 www.google.dj

O1 - Hosts: 69.31.81.22 www.google.es

O1 - Hosts: 69.31.81.22 www.google.fm

O1 - Hosts: 69.31.81.22 www.google.gg

O1 - Hosts: 69.31.81.22 www.google.gl

O1 - Hosts: 69.31.81.22 www.google.gm

O1 - Hosts: 69.31.81.22 www.google.hn

O1 - Hosts: 69.31.81.22 www.google.kz

O1 - Hosts: 69.31.81.22 www.google.li

O1 - Hosts: 69.31.81.22 www.google.lt

O1 - Hosts: 69.31.81.22 www.google.lu

O1 - Hosts: 69.31.81.22 www.google.lv

O1 - Hosts: 69.31.81.22 www.google.mn

O1 - Hosts: 69.31.81.22 www.google.ms

O1 - Hosts: 69.31.81.22 www.google.mu

O1 - Hosts: 69.31.81.22 www.google.mw

O1 - Hosts: 69.31.81.22 www.google.no

O1 - Hosts: 69.31.81.22 www.google.off.ai

O1 - Hosts: 69.31.81.22 www.google.pn

O1 - Hosts: 69.31.81.22 www.google.ro

O1 - Hosts: 69.31.81.22 www.google.ru

O1 - Hosts: 69.31.81.22 www.google.rw

O1 - Hosts: 69.31.81.22 www.google.sh

O1 - Hosts: 69.31.81.22 www.google.sk

O1 - Hosts: 69.31.81.22 www.google.sm

O1 - Hosts: 69.31.81.22 www.google.td

O1 - Hosts: 69.31.81.22 www.google.tm

O1 - Hosts: 69.31.81.22 www.google.tt

O1 - Hosts: 69.31.81.22 www.google.uz

O1 - Hosts: 69.31.81.22 www.google.vg

O1 - Hosts: 69.31.81.22 google.ae

O1 - Hosts: 69.31.81.22 google.am

O1 - Hosts: 69.31.81.22 google.as

O1 - Hosts: 69.31.81.22 google.az

O1 - Hosts: 69.31.81.22 google.bi

O1 - Hosts: 69.31.81.22 google.cd

O1 - Hosts: 69.31.81.22 google.cg

O1 - Hosts: 69.31.81.22 google.ci

O1 - Hosts: 69.31.81.22 google.cl

O1 - Hosts: 69.31.81.22 google.co.cr

O1 - Hosts: 69.31.81.22 google.co.hu

O1 - Hosts: 69.31.81.22 google.co.in

O1 - Hosts: 69.31.81.22 google.co.je

O1 - Hosts: 69.31.81.22 google.co.jp

O1 - Hosts: 69.31.81.22 google.co.ke

O1 - Hosts: 69.31.81.22 google.co.ls

O1 - Hosts: 69.31.81.22 google.co.th

O1 - Hosts: 69.31.81.22 google.co.ug

O1 - Hosts: 69.31.81.22 google.co.uk

O1 - Hosts: 69.31.81.22 google.co.ve

O1 - Hosts: 69.31.81.22 google.com.ag

O1 - Hosts: 69.31.81.22 google.com.ar

O1 - Hosts: 69.31.81.22 google.com.au

O1 - Hosts: 69.31.81.22 google.com.br

O1 - Hosts: 69.31.81.22 google.com.co

 

Remove these with hijackthis and then find the files and delete them:

O4 - HKLM\..\Run: [lsass] C:\windows\system32\elitednv32.exe

O4 - HKLM\..\Run: [system service65] C:\WINDOWS\etb\pokapoka65.exe

 

Since the file is missing you might as well remove these with hijackthis:

 

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe (file missing)

 

EDIT: And if you're interested I'll tell you exactly what happened to your computer while you were away...

 

For starters it had nothing to do with you leaving IE open on Yahoo.

 

You don't have SP2 (SP3 doesn't exist, Service Pack 2 is what the guy meant) and that means you're not patched against the latest security holes.. and you have no router or firewall. It's actually a miracle you weren't 'owned' (so to speak) earlier.

 

What happened was you were remotely infected with a trojan. What exploit the trojan used we won't know but there are plenty available seeing as you hadn't done Windows Updates for a while. Once the trojan had you infected it connected to an IRC server and joined a channel. You were part of a Botnet at that point.

 

The thing is, while normally this is all that happens and you become a drone and start scanning for other computers to infect (while letting them use you for DDoS), the owners of this particular one wanted to profit from installing loads of adware on every computer they infected. So in the topic of the channel the bot joined, was a line that made the bot download and execute a file that installs adware, and then downloads more.. and pretty much completely f*cks up your PC as you can see.

 

Here is a screenshot of a botnet I was tracking a while ago (note: it's unlikely this was the specific one you became part of):

 

 

As you can see the owners are abusing the bots by making each one of them open a webpage.. well in one of the other channels the bots are told to download an adware installer on join, and in another told to scan IP ranges for vulnerable computers that they can infect.

 

That's the most likely scenario that I can give you from experience, if it wasn't that then you were infected with the adware installer immediately... (but that doesn't make much sense since adware can't scan & infect machines, only trojans can).

Edited September 6, 2005 by segosa

[Wolf68k]

@segosa

Very good my young padawan. You have learned much in defeating the dark side.

sorry I was channeling Star Wars for some reason there

 

 

I would also suggest kill running process

C:\Program Files\Screenshot Utility\ScreenshotUtility.exe

 

And delete..

Start->Programs->Startup->Screenshot Utility.lnk

and

C:\Program Files\Screenshot Utility\

 

When Google can't turn up a straight answer, there is something hinkie there. great now I'm channeling NCIS

 

 

Go ahead and lset HijackThis fix this as well

R3 - Default URLSearchHook is missing

 

 

@segosa

That botnet screenshot, makes me wish I could write programs. I would learn how to that script works, get program installed on to the drone systems and have it clean their systems for them which would take them out of the of the botnet network, and finally let the user know they were infected and used as drone and tell them how to clean their system for FREE.

You might say a virus that is an antivirus. What's sad is that I don't think anyone has thought of it before, or we would have heard of it by now.

[SMG]

I'ld like to point out three things.

 

1. To remove the Google hijack in your HOSTS file, edit C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS in notepad and delete all the lines that say google, you only need 127.0.0.1 LOCALHOST

 

2. The latest service pack for Windows XP is Service Pack 2.

 

3. Internet Explorer isn't a good idea to use, but it still probably wasn't the cause of these trojans/spyware in this case because it was only opened up to Yahoo. It's more likely that a virus got into your system by using a security hole that isn't protected against in Windows XP SP1. There are several holes in Service Pack 1 which don't even require you to do anything on your computer. I don't think that Service Pack 2 currently has any known holes that are remotely exploitable like Service Pack 1.

[matthew1g]

umm...... my dad has suddenly became an anti virus fanatic,

 

he installed:

 

bit defender

zonealarm pro

kaspersky anti-vir

norton

mcaffee

sp3

microsoft anti spyware

trojan hunter ( or whatever it's called)

registry cleaner

 

i'm getting dizzy

[Waste]

umm...... my dad has suddenly became an anti virus fanatic,

 

he installed:

 

bit defender

zonealarm pro

kaspersky anti-vir

norton

mcaffee

sp3

microsoft anti spyware

trojan hunter ( or whatever it's called)

registry cleaner

 

i'm getting dizzy

More than one anti-virus on your computer can have adverse effects on performance.

Besides the fact that the anti-virus programs will clash and sometimes attack each other's quaratines.

[Wolf68k]

 

umm...... my dad has suddenly became an anti virus fanatic,

 

he installed:

 

bit defender

zonealarm pro

kaspersky anti-vir

norton

mcaffee

sp3

microsoft anti spyware

trojan hunter ( or whatever it's called)

registry cleaner

 

i'm getting dizzy

More than one anti-virus on your computer can have adverse effects on performance.

Besides the fact that the anti-virus programs will clash and sometimes attack each other's quaratines.

Yep this can be very very bad.

Besides all of the things that Waste (got it right this time here too ) it'll hurt in the over all performance of the system most noticeable is the start up time.

The most important think about protecting your system from viruses is; your brain.

 

BTW, SP3? If that means ServicePack3 for Windows XP...there is NO ServicePack3 for Windows XP. There is for Windows NT (I think) and 2000, however both truely need their latest service packs (which they are for each one) more so than XP needs it's latest which is only SP2.

[Barbaneez]

...

Edited December 15, 2008 by Barbaneez

[Wolf68k]

Question, when you did the SP2 update was Norton Anti-Virus enabled?

I know that in the past there was a patch that if your anti-virus was enabled (Norton or McAfee or even a few others) the when you restarted your whole system would be running slow and the only fix was to uninstall the patch and restart then disable the anti-virus and reinstall the patch.

Now I'm not saying this could the problem with SP2 being installed, only that it might be a slight possiblility.

 

If you went and manually (this doesn't mean using File Search) looked for those files where they were listed to be and they are not there, then don't worry about it just let HijackThis fix them which just removes their entry.

 

but I can't run a HijackThis scan in safe mode because there's no bullsh*t nonsense running right now.

That I don't get. I was just at someone's house yesterday with SP2 installed (but I've also done it with SP1 install and even on a Win98 machine) and in Safe Mode and never had a problem running HJT.