Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Checkup - Stiggie
#1
Hey .. I need some checkup since my email got hacked:

Hijack: http://tinypaste.com/7a8191

OTL , no extra: http://tinypaste.com/c21f7

MBAM: http://pastebin.com/e9F3baZ9
[Image: in0rjy.gif]
Reply
#2
Greetings,

Whilst I am in the process of scrutinizing your complete set of provided logs for any possible infections or problems, I ask for your forbearance. Understand that the process of analysis requires time and careful examination hence the need for a cautious response. Accuracy is of the essence. Once I come across infections, I shall present the finest methods of removal for your convenience.

In return for this service, I propose to you two conditions:
  1. You are not to create any new threads regarding the similar topic as it will waste another helper's time.
  2. You are not to install any new software in your system, as it may hinder our process thus making this futile.
In accordance to my terms, I also ask of you six things, stated below:
  1. You are not to modify the logs in any way. Failure to do so will instantly deprive you of this service.
  2. You are to paste each log separately at 'Pastebin' as it is. That is correct, no syntax highlighting, no editing - just the log purely. Post back the links for each log. You shall not hide them under spoiler codes.
  3. You are to provide the complete set of requested logs.
  4. You are to keep all your trusted tools that the scanners may detect in a password protected archive. This is to prevent them from being deleted as we've had complaints or refusal to use the scanner for this reason.
  5. You are to respond to every step I ask you to do using the format provided at the end of my post.
  6. You agree that I have the right to discontinue the analysis at any time, upon a violation of a single rule.
Provided that you will continue with this service, you hereby agree to the above statements. If you deem the conditions are portraying equality, I will willingly perform the analysis without further delay. Should you have any concerns or problems with the above conditions, or if you feel that I have overlooked your log, do inform me through a Private Message.

Thank you.

Genuinely yours,
Quintus
  • Optional Pre-Step

    With regard to my fourth condition, here are the steps on how to password protect your trusted tools momentarily. Do note that I would advise you to remove all the infections present in your system as I am not certain of the sources of these programs thereby I will not be able to verify whether they are backdoored or not.

    You are doing this at your own risk.
    • Create a new folder with the name of your choice.
    • Gather all of your tools into that folder.
    • If you do not have a file compressor, download '7-Zip' and install it.
    • After doing so, navigate to the said folder and right-click.
      • You are now presented with options.
      • Please chose 7-Zip > Add to Archive.
      • Under the Archive Name, enter any name you wish.
      • Set the Archive Format to 7z.
      • Set the Compression Level to Ultra.
      • Under Encryption fill in the Password field twice. You can tick Show Password if you desire.
      • When everything is done, click OK.
    • Wait for some time. The waiting time is determined by the size of your files.
    • 7-Zip will have produced the file for you.
    • Now we test the file by Right-click > 7-Zip > Extract Here.
    • A prompt asking you for the password should appear.
    • Select Cancel as this is for testing purposes only.
    • Now delete the other folder, empty your Recycle Bin and proceed with the instructions.
Note: After I have declared you ALL CLEAN, you may extract your files and dispose of the protected archive.
  • Pre-Step I

    Click 'here' to download Temp File Cleaner by OldTimer. Save it to your desktop.
    • Close any open windows.
    • Double-click TFC.exe and select Run when prompted to execute the program. It will close all open programs itself in order to run.
    • Click the Start button to begin the cleaning process.
    • Please let the program run uninterruptedly.
    • Once the cleaning has been done, your computer should automatically reboot. Otherwise, please do so when it does not.
  • Pre-Step II

    Download Security Check by screen317 from 'here' or 'here'.
    • Save it to your desktop.
    • Double-click SecurityCheck.exe and follow the instructions inside of the black box.
    • A Notepad document called Checkup.txt should automatically open; please post the contents of that document.
    • Double-click aswMBR.exe to run it. Windows Vista and Windows 7 users should run it as an administrator.
    • Click the Scan button to start the scan.
    • Upon the completion of the scan, click Save Log, and save it to your desktop. Post it in your next reply.
  • Step 1

    Please run a free online scan with ESET Online Scanner by downloading ESET Smart Installer 'here'. Save it to your desktop.
    • Double-click esetsmartinstaller_enu.exe to execute the program.
    • Tick Yes, I accept the Terms of Use.
    • Click Start.
    • If this is your first time installing the scanner, allow the ActiveX Control to install.
    • Database download may take some time.
    • When done, make sure that the option Remove found threats is ticked. Under the and Advanced Settings, please put a check on the following options:
      • Scan for potentially unwanted applications
      • Enable Anti-Stealth Technology
    • Click Start.
    • Wait for the scan to finish.
    • Once it is finished, use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
    • Copy and paste that log as a reply to this topic.
  • Step 2

    Run OTL.exe.
    • Copy and paste the following text written inside of the code box into the Custom Scans & Fixes box located at the bottom of OTL.

      Code:
      :OTL
      @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:07BF512B

      :Commands
      [purity]
      [emptytemp]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system.
    • You will need to post two logs:
      • The log that you will see upon rebooting your system.
      • A new OTL log (don't check the boxes besides LOP Check or Purity this time).
  • Step 3

    Download DDS.scr by sUBs from one of the following links and save it to your desktop.

    'Link 1'
    'Link 2'
    • Double-click on DDS.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear, DDS.txt and Attach.txt.
    • A window will open instructing you save and post the logs.
    • Save the logs to a convenient place such as your desktop.
    • Copy the contents of both logs and post them at 'Pastebin separately and post the links in your next reply.
  • In your next post, please provide the following:
    • aswMBR Log
    • Doesn't Do Squat (DDS) Logs
      • DDS.txt
      • Attach.txt
    • ESET Scan Log
    • OTL Log
    • Security Check Log
  • Code:
    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Link To Requested Logs: [/b]
Reply
#3
Step #
Problems Encountered:

Step #
Problems Encountered:

Step #
Problems Encountered:

Step #
Problems Encountered:

Link To Requested Logs:
http://pastebin.com/dAddfX9x - Security Check
http://pastebin.com/64LhGBxK - aswMBR.exe
http://pastebin.com/xyK2mbyJ - DDS attach
http://pastebin.com/NVE0FkvA - DDS
http://pastebin.com/bJUKNaaV - OTL
http://pastebin.com/X10DZH8A - ESET
[Image: in0rjy.gif]
Reply
#4
  • Step 4

    Your current copy of Java Runtime Environment is outdated. Older versions contain vulnerabilities therefore it is essential that you update it.
    • To get the latest version of Java please go 'here'.
    • Go to Start > Control Panel > Programs and Features.
    • Search in the list for all previous installed versions of Java. You currently have:
      • Java™ 6 Update 24
    • Choose Uninstall.
    • Now install the version(s) you downloaded earlier.
  • Step 5

    Besides compromising network security, their association with illegal file-sharing creates legal liabilities for their employers. More often than not, companies aren't aware of software license violations and other infractions their workers commit through file-sharing.

    More from 'this' article.

    I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer. Your system is at risk. Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I strongly recommend that you uninstall the following program(s) present in your system through Add or Remove Programs for Windows XP and Programs and Features for Vista and Windows 7:
    • µTorrent

    Note: If you choose not to remove the program(s), please do not use them until this computer is clean.

    Here is the list of Safe and Unsafe P2P Programs.

    Clean
    • Ares
    • Azureus 2.5.0.0
    • BitComet
    • Bittorrent
    • E-Mule
    • Frostwire
    • Limewire
    • µTorrent

    Unsafe
    • Azureus Vuze
    • BearShare
    • Bitlord
    • BittorrentUltra
    • iMesh

    You can see more of that 'here'.
  • Step 6

    "Real-time protection, on-access scanning, background guard, resident shield, auto-protect, and other synonyms refer to the automatic protection provided by most antivirus, anti-spyware, and other anti-malware programs, which is arguably their most important feature. This monitors computer systems for suspicious activity such as computer viruses, spyware, adware, and other malicious objects in 'real-time'."

    More from 'here'.

    Basing from your log, I seem to have noticed that you have too many security programs with real-time protection running at the same time. Though having a program with real-time protection is technically good, having too many of them of the same kind of protection (for instance, two anti-spyware programs) will slowdown your system drastically.

    I suggest that you uninstall the following programs through Add or Remove Programs for Windows XP and Programs and Features for Vista and Windows 7:
    • Windows Defender

    If you wish not to uninstall the program(s), make sure you disable the real-time protection module (of each) instead.
  • Step 7

    Run OTL.exe.
    • Copy and paste the following text written inside of the code box into the Custom Scans & Fixes box located at the bottom of OTL.

      Code:
      :OTL
      @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:07BF512B

      :Commands
      [purity]
      [emptytemp]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system.
    • You will need to post two logs:
      • The log that you will see upon rebooting your system.
      • A new OTL log (don't check the boxes besides LOP Check or Purity this time).
  • In your next post, please provide the following:
    • OTL Log
  • Code:
    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Link To Requested Logs: [/b]
  • Comments:
    • Any new accounts hacked?
Reply
#5
Link To Requested Logs: http://pastebin.com/KaMnDjSj

For the comment: No.
[Image: in0rjy.gif]
Reply
#6
  • Step 8

    Now we will uninstall ComboFix and remove its files. They may prove harmful to your system if unused without supervision therefore I will instruct you to remove it.

    Windows Vista and Windows 7:
    • Click the Windows Orb (Start).
    • In the search box type Run and click the program that comes up.
    • Type ComboFix /Uninstall > OK. Or simply copy the emphasized text.

I see no infections present in your log anymore. If you are not having any further problems, I declare you ALL CLEAN.

Required Clean-Ups


★ CleanUp! With OldTimer's Move-It (OTM) ★

This will remove all temporary files stored in your computer and as well as the files generated by the specialised tools I instructed you to use.
  • For Windows Vista and Windows 7:
    • Download OldTimer's Move-It (OTM) 'here' and save it to your desktop. Please click the Go (Arrow Button) or press Enter in the URL address bar to start the download.
    • Please double-click OTM to run it.
    • No programs other than OTM should be running; we will perform a reboot after.
    • On the interface, click the Cleanup! button.
    • Select Yes after the prompt and wait for the reboot.
★ Make Internet Explorer Less Vulnerable ★

I ask that you do not disregard this step whether you are using Internet Explorer or not as your main browser. Please be advised that though you don't seem to be using this, I can assure you that most of your everyday applications use this browser's technology to update thereby solidifying the necessity to update it. Do not leave a single component of your system vulnerable.
    • At Internet Explorer's interface navigate to Tools > Internet Options.
    • Click once on the Security > Internet > Custom Level buttons.
    • Change the following to the designated modifications.
      • ActiveX Controls and Plug-Ins
        • Download Signed ActiveX Controls > Prompt
        • Download Unsigned ActiveX Controls > Disable
        • Initialise And Script ActiveX Controls Not Marked As Safe > Disable
      • Miscellaneous
        • Installation Of Desktop Items > Prompt
        • Launching Programs And Files In An iFrame > Prompt
        • Navigate Sub-frames Across Different Domains > Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
★ Set A Clean System Restore Point ★

This is done to prevent possible reinfection. Your system's restore points need to be constantly flushed. The reason being the infections residing in your system once, could have been more or less, saved in one of your restore points. System Restore is a protected directory; your tools can not access it to delete these files. Re-infection is imminent if this is left unattended. Now, after successfully cleaning your system, creating a clean restore point is essential in case you will ever need a clean backup.
  • For Windows 7:
    1. On the Start Menu, right-click Computer > Properties > System Protection link.
    2. Click Configure.
    3. Click Delete > Continue > OK.
    4. You are now back at the System Protection Tab.
    5. Click Create > <Any Title Here> > Create.
    6. A prompt should tell you that it was successful. Click Close.
    7. Click OK.
    8. System Restore will be working again and will have a new restore point.
A Quick Summary To Prevent Reinfection

1. Install an anti-virus and keep it updated. Run complete system scans.

"An antivirus (or anti-virus) software is used to prevent, detect, and remove malware, including computer viruses, worms, and Trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware."

You have to make sure you have an anti-virus installed. Update your anti-virus every day to make sure it has the latest signatures. Yes, updating is essential in maintaining your computer. The latest updates will ensure the integrity of your chosen program. Some paid anti-viruses even offer hourly updates and the reason for this is clear - malware gets advanced and new variants are detected in a short span of time. In addition to updating, perform a complete scan weekly. You might think you don't need it however you do. Don't rely on your instincts that your system is clean.

2. Install and maintain a good firewall.

"A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria."

Make sure you have a firewall installed. A firewall helps monitor connections both inward and outbound. If you have not installed a firewall yet, please be advised that the pre-installed firewall that you have is not much of a protection against attacks. A firewall helps monitor connections both inward and outbound therefore having a specialised firewall is essential.

3. Update Java Runtime Environment.

"The Java Runtime Environment (JRE), also known as Java Runtime, is part of the Java Development Kit (JDK), a set of programming tools for developing Java applications. The Java Runtime Environment provides the minimum requirements for executing a Java application; it consists of the Java Virtual Machine (JVM), core classes, and supporting files. "

You must make sure your Java is up-to-date. Older versions have vulnerabilities that can be exploited. Follow the steps below to update Java.

For Vista and Windows 7:
    • To get the latest version of Java please go 'here'.
    • Go to Start > Control Panel > Programs and Features or Uninstall a Program.
    • Search in the list for all previous installed versions of Java. You currently have:
      • Java™ 6 Update *
      • Java™ SE Development Kit 6 Update *
    • Choose Uninstall.
    • Now install the version(s) you downloaded earlier.
4. Clear temporary files.

Click 'here' to download Temp File Cleaner by OldTimer. Save it to your desktop.
    • Close any open windows.
    • Double-click TFC.exe and select Run when prompted to execute the program. It will close all open programs itself in order to run.
    • Click the Start button to begin the cleaning process.
    • Please let the program run uninterruptedly.
    • Once the cleaning has been done, your computer should automatically reboot. Otherwise, please do so when it does not.
5. Keep your computer updated.

You may currently have an outdated Windows Operating System. It is highly recommended you install the latest updates as these are extremely important which contain fixes for several bugs and security issues that attackers exploit. Always make sure that you are protected on all sides. Microsoft offers these updates free of charge. I present to you the option to perform the update.
    • Running Windows Update
      • Go to the 'Official Microsoft Windows Update' site using the latest version of Internet Explorer.
        1. On the Tools menu in Internet Explorer, click Internet Options.
        2. Click the Security tab.
        3. Click the Trusted Sites icon, and then click Sites....
        4. Uncheck the Require Server Verification checkbox.
        5. Make sure the following URLs are listed in the Web Sites list box:
          Code:
          http://*.windowsupdate.microsoft.com
          http://*.windowsupdate.com
        • A pop-up will automatically open.
        • If the pop-up failed to open, click the Start button, click All Programs, and then click Windows Update.
        • Install the Important Updates and reboot as required.
6. Prevention is better than any cure.

Constant vigilance is your number one tool. Aside from keeping in mind safe surfing habits, specific tools are there to further enhance your security. The good thing is that they are free, reliable and low on system resources. Even having them running together won't slow down your system. To download, simply click on the name of each software.

CCleaner

CCleaner is a freeware system optimization, privacy and cleaning tool. CCleaner is the number one tool for cleaning your Windows PC. It protects your privacy online and makes your computer faster and more secure. Easy to use and a small, fast download.
  • Run CCleaner regularly, suggestively after you are done browsing or using your system for the day as it cleans temporary files such as cookies that may prove harmful.
    • Open CCleaner.
      • On the CCleaner tab, select Analyze and wait for the analysis.
        • Click on the Run Cleaner button.
      • On the Registry tab, select Scan For Issues and wait until it finishes.
        • Select Fix Selected Issues > No > Fix All Selected Issues > Close.
MVPS Hosts

MVPS Hosts helps to protect your Privacy and Security by blocking sites that may track your viewing habits. In many cases using a well designed HOSTS file can speed the loading of web pages by not having to wait for these ads, annoying banners, hit counters, etc. to load. This also helps to protect your privacy and security by blocking sites that may track your viewing habits, also known as "click-thru tracking" or data miners. Simply using a HOSTS file is not a cure-all against all the dangers on the Internet, but it does provide another very effective "Layer of Protection".
  • Make sure to check the MVPS Hosts 'site' for updates monthly.
SpywareBlaster

Spywareblaster prevents the installation of ActiveX-based spyware and other potentially unwanted programs. SpywareBlaster can help keep your system secure, without interfering with the "good side" of the web. And unlike other programs, SpywareBlaster does not have to remain running in the background. It works alongside the programs you have to help secure your system.
  • Update SpywareBlaster every day as it adds a list of restricted sites and cookies.
    • Open SpywareBlaster.
    • Click Updates > Check For Updates.
    • If updates are available, refresh the entries by going to Protection Status > Enable All Protection.
WinPatrol

WinPatrol's Host-based Intrusion Prevention System (HIPS) takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. WinPatrol was the pioneer in using a heuristic behavioral approach to detecting attacks and violations of your computing environment. It continues to be the most powerful system monitor for its small memory footprint.
  • Watch for WinPatrol alerts. It will monitor any unwanted changes to your system, such as startup programs and Active X additions.
7. Ask questions.
  • If you have any other questions, please post them on this thread.
Thank you,
Quintus
Reply
#7
Well. Thanks for your help Smile I really do appreciate it. Now i am currently thinking of doing a format. I have backed up my necessary files. And i was told my sneak, that it is a good thing to do once every year, i wanna hear your opinion.
[Image: in0rjy.gif]
Reply
#8
I would agree. It is simply a way to ensure your system is constantly clean.
Reply
#9
(05-31-2011, 06:28 AM)Quintus Wrote: I would agree. It is simply a way to ensure your system is constantly clean.

Fine then Smile I am gonna do it, when i get time >.>

Thanks for your help Quintus Big Grin
[Image: in0rjy.gif]
Reply
#10
No problem. Safe surfing.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Infection Checkup? Epicly 6 2,400 03-26-2011, 08:03 AM
Last Post: Quintus

Forum Jump:


Users browsing this thread: 2 Guest(s)