Trojan and Other Problems

A few days ago, I had 2 instances of iexplore.exe running at the same time and my pc was crawling along, with System Idle Process down to between 0 and 10.

I was browsing through Add/Remove Software and saw Logitech Desktop Messenger and Logitech Resource Center. I had no idea what they do so I Googled them and browsed a few pages, but still wasn't sure if I should uninstall them so I left them alone, and that's when my problems started. I now get between 10 to 15 requests from Sygate asking me if I want to allow dll's from Logitech. I've never received one until a few days ago.

I ran a bdscan, HiJack This, AVG scan, newfiles.txt, and runkeys.txt but I'm unable to attach them because I attached it to my original post here at MG and the MG program won't let me post them a second time. The Trojan is still in my pc even though the bdscan said that it was deleted. Each time I run the bdscan, it finds the same trojan.

I ran all the scans required at http://forums.majorgeeks.com/showthread.php?t=35407 and tried all fixes noted at http://forums.majorgeeks.com/showthread.php?t=38752. I also went to http://www.help2go.com/component/detective/ and posted my HiJack This report yesterday but I've received no response as of yet.


Any help will be appreciated . . . Denise

 

Please post the log from Panda ActiveScan.

 

I didn't get notification of this respose to my post for some reason. Someone just told me today that I hadn't submitted all the scans that were requested.

I just finished running the Panda Scan in Safe Mode with Networking two times. Each time, it asked me about my profile at the very end. I clicked on the only choice given me and that was the end of that. No scan report. The page was too large for me to see its entirety, and maximize wasn't an option, so I couldn't see what was on the right hand side of the page.

I found this file while looking for scans in my pc that I did a few days ago. I don't know if this is the Panda scan report, but it's all I could find.

I couldn't upload it because I received a message that stated:

This is what the report contains:

Denise

 

Hi Shadow . . . Sorry about the ActiveScan report. The results on the page show no infected files but that's about all the info I can give you. For some reason, I couldn't get it to provide a report.

I don't know if this is a legit site but it's tied into a-squared so I think it is. I tried to have a scan done but it couldn't "load the machine."

http://www.windowsecurity.com/trojanscan/

There are also several links on the right hand side of the page and I can't open any of them. My pc has gone back to not being able to open a lot of links again.

If there are any other scans that'll give you some info that you need, just let me know. I'm very willing.



Hi Halo,

You had advised me to delete/turn off OneCare Live. Should I also uninstall Dr. Watson? I found this in the NewFiles.txt document.

"DisplayName"="Dr Watson for Microsoft Windows OneCare Live v0.8.0794.48"

Thanks guys

Denise

 

You are using MsConfig to prevent several programs from loading at Windows start. MsConfig is a diagnostic tool and is not intended to be used the way you are using it. Enable all items you have disabled with MsConfig.

Uninstall OneCare Live. The protection programs you have installed are more effective than OneCare.

You have items in the Internet Explorer Trusted Zone; nothing should ever be in the Trusted Zone. Remove everything from the IE Trusted Zone.

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Once you have done the above post a fresh HijackThis log.

 

Hi Shadow,

I posted this at the original forum and was asked to post it here as well:

Also, I uninstalled OneCare but the program was still listed in Services so I unchecked it and stopped it in Services.

Some websites about WildTangent and Trojan.Exploit.Html.Codebaseexec.CC

http://www.tech-forums.net/showthread.php?threadid=114937

http://www.wilderssecurity.com/showthread.php?p=818762#post818762

http://www.pchell.com/support/wildtangent.shtml

Denise

P.S. I'll run HiJackThis tomorrow. It's very late where I live and need to get some sleep.

 

HiJackThis Log is attached.

In the past couple of weeks, I ran several programs to eliminate Symantec from my pc. The HiJackThis log shows this entry: (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab, so some residue from the program is still in my pc.

I'm also attaching an Ad-Aware scan log. It found one "Critical Object" that AVG has been finding for the past month. Please let me know how I can fix it?

Denise

 

Follow the directions for Running Hoster

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

False Positive - Ad-Aware is alerting to the "normal" default value for this key.

This is not a virus. It is actually a part of Wild Tangent. Wild Tangent is considered Spyware by many. Wild Tangent comes pre-installed on several brands of PC's and is istalled along side drivers for things like Joy sticks and the sort.

In your case it was install alongside Logitech drivers. Simply uninstall Wild Tangent and delete all Wild Tangent folders on the Hard Drive.

Reboot post a fresh HijackThis log.

 

Thanks for the Running Hoster link.

I ran HijackThis, 'Do a system scan only.' I checkmarked the boxes you supplied and clicked on the 'Fix Checked' button.

I don't have the WildTangent program in my pc. What I did have was:

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2

C:\Program Files\Logitech\Resource Center\resources\content\specialoffers

C:\Program Files\Logitech\Resource Center\resources\content\specialoffers\041_thumbnail_wildtangent

C:\Program Files\Logitech\Resource Center\resources\content\specialoffers\041_wildtangent

C:\Program Files\Logitech\Resource Center\resources\content\specialoffers\042_wildtangent

I deleted these files.

I rebooted and ran HiJackThis and attached the log.

I found this page on the net:

http://www.auditmypc.com/process/itouch.asp

It pegged my pc down to the T. Do I need additional security?

Denise

 

Shadow_Puter_Dude said:

I enabled all items in msconfig so they all load when I boot up. In Services, the only program listed that I could change to Manual is Dantz (external hd back-up). When I stopped the service and put it on Manual, it still loads. The remainder of the programs aren't listed in Services. Where are the settings located that I can change so that the programs that I rarely or almost never use can be put on Manual/On Demand?

Denise

 

I rarelu use Audit My PC for information on files. The manner in which they present the information can mislead one into believing the file is bad. iTouch.exe is the software driver for the multimedia keys on Logitech Keyboards. You don't need more protection.

Most of the programs that you don't want to run can be configured from the Options/Settings menu item in that program.

Your HijackThis log is clean.

 

Hi Shadow,

Thanks for reviewing my HiJackThis Log. I'm happy to know that it's clean.

The program I mentioned didn't tell me that iTouch was a bad program. My concern is that it was able to get a lot of info from my pc:

I removed some of the numbers of addresses and urls but I think that this is a lot of information that's readily and easily available to everyone. Is this normal?

Denise

 

That's not in the least bit unusual. That information can be pulled from your Web Bowser, and normally is, by any site you visit.

 

Shadow . . . Is there is no anti-spy program that can stop it? I'm most concerned about my private IP address and the info in my clipboard.

Also, this is for anyone reading this post . . . I didn't know that someone could get the information that was in my clipboard. There were times that I've copied and pasted information about my credit cards and passwords to many accounts, including banking and on-line payment services such as PayPal.

Is information that is stored in "remember my account name and password" also easily accessible? I have it on auto.

Denise

 

AuditMyPC is using a java applet to find out your IP and to DISPLAY it to you.

If you want to prevent it from being displayed, you would need to disable java/javascript/activeX, but this would mean that many usefull things would not work.

IP addresses in the (10.x.x.x 192.168.x.x 172.16.x.x) range are not publicly routable subnets. You gave the Java applet permission, knowingly or unknowingly, to read your machine settings.

They did not grab anything from your clipboard, it is transmitted by your web browser.

Information that is stored in "remember my account name and password" is not easily accessible. This information is encrypted and stored on your HDD. The only way to obtain that information would be to capture it with a Keylogger, most hackers aren't going to spend the time it takes to crack an encrypted file. However if you store this information on your computer in an unencrypted text file, then that can be stolen.

 

Are you saying that the only reason they were able to get the information is because I gave them permission to display it to me? Is that the only reason that they were able to get that info from me?

I wouldn't want to disable java/javascript/activeX because of the reason you stated. Did I give the site that used the Java applet permission to read my settings, or is there a setting in my pc that allows outside sources to read my IP addresses without my permision? If it's a setting in my pc and I change it, would it cause other programs to stop working, stop allowing me to open websites, etc?

The more I learn, the more I learn that I have a lot more to learn.

Denise

 

That is the only reason they obtained that information. When you clicked on the link to display your IP, the webpage that opens is running a Java script that detects your Private IP. This practie at best is questionable, even though it demonstrates how a malicious site can obtain the same information.

AuditMyPC is not a site I use for information. The manner in which they present their information is often confusing, to the unexperienced user, and IMO misleading.

The tactic of dipalying your private IP, without clear user consent. IMO is unethical. This is a blatant scare tactic, which is meant to make you think your computer is not secure.

Security starts with the user. If you are not the type of individual who makes it a habit to vist questionabe sites, then there isn't much of a threat.

 

Thanks, Shadow, for clarifying it for me.

It seems that the more I try to make my pc secure, the more insecure it gets. I'll have to remember that in the future, but sometimes it's hard to know which site is questionable and which isn't. Some of them look very legit, and you're right . . . they should have said up front that by clicking on the link, I was giving them permission to detect my Private IP. I actively gave them permission to spy on me.

Thanks again, and I hope this helps other people as well.

Denise

 

You are welcome.

 

Shadow, In post #9, you advised me to check two boxes to be fixed by HiJackThis. I just ran a HiJackThis scan and the two files are back:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Should I deleted them again?

Denise

 

You can fix those if you like, they are benign entries anyway as they are blank.

 

Thanks for replying.

Denise