Totally disturbed at my computer.... dont have any idea whats going on...plz help!!

Hi there, I'm having a few problems at the moment and dunno if its something I've done or some crafty ba*d has taken advantage of me.... I cant access any kind of online banking, whenever a IB number is entered, it simply dissappears and the page refreshes without loading the next stage of the security check where you add your DOB and password...... Also, this might not be related, but all new windows have suddenly been made to open at a very small size, and must be maximised before using...... any help would be greatly appreciated..... I've never come accross anything like this before.... And apparently, neither have Ad-aware or Spybot S&D....... Cheers for your time... you lovely people you...no, really, cheers.... . -J

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

Can you try the following free online scan:

Trend Micro http://housecall.antivirus.com/ or

I would also try downloading McAfee "Stinger" found here:

http://vil.nai.com/vil/stinger/

and run this, just to start an elimination process...

Let us know how you go...

Cheers

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

Hi debochel, welcome to forum.

So you've scanned with AdAware and Spybot, how about your main AV/AT, any results?

Maybe you need to really clean out your TIFS/cookies and start fresh, something in there may be 'holding' your banking page.

But, I most certainly would do full system scan with AV/AT first, then do couple online scans...

TREND HOUSECALL

or here is Google listings of Online Scanners.

GOOGLE ONLINE SCANNER LISTINGS

Cheers, TAS

edit: Yo, Blackspear beat me.

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

LMAO, Damn, you must have been sleeping

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

zzzzzzzzzzzzz...........huh? wazz dat... who der......


debochel, make sure you keep us informed mate. We will try to help you.

TAS [Don't Disturb the Sleeping Devil]

 

Yeah, so i tried the trend micro thing, found some uncleanable trojans and deleted them.... also tried the stinger thing, with no luck.... however, the problems still there.... What is my main AV/AT and how do i "check" it? Cheers guys. Nice one. -J

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

Hi debochel, glad you got back...

Sorry, lack of communication on my part mate.

AV [Anti-Virus program]
AT [Anti-Trojan program]

I was meaning, did you scan with "your" anti-virus program or if you have an Anti-trojan program did you use that also?

I see where Trend detected and deleted some trojans..... it's not a fully dedicated trojan program, so the chances are you *may* still have something else on your system that Trend will not detect.

Go here: DiamondCS TDS3 PROGRAM DOWNLOAD

click on download, follow and pick a download link and dl Trojan Defense Suite [TDS3] a powerful anti-trojan program.

Install it [don't run it yet].

then download the latest definitions. [You cannot update the trial TDS thru the program unless you are registered/paid up].

From here: radius.td3 database file
[right click on the link, Save Target As.... download to say desktop.

Place that file into the main TDS folder [not sub folders] and it will ask if you want to replace, say yes. [If it does not ask, you have chosen the wrong folder, it is the one with radius.td3 file in it]

Start TDS3.

Menu bar/system testing/Full System Scan.. then let it go thru it's paces.

let us know what it reports......

Cheers, TAS

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

PS: If it finds anything, it will have another section at the bottom of the main window where it puts the suspect files [see pic]

Now, right click on any of the file/s it may find, choose Save As Text and it saves it to:

C:/Program Files/TDS/scandump.txt [provided you installed it to that directory].

It should open up if you click on YES to view the file, if not, navigate to TDS main folder and look for scandump.txt file, open it and copy/paste in reply.

In my screenshot, you will note it gave a 'Positive Identification' but it's in fact not a trojan [see the green highlight part], it's a Firewall tester which acts like a trojan trying to connect to net.

Cheers, TAS

 

Hey, I think this is what u asked for, cheers for doing this btw..... Nice. -J

Scan Control Dumped @ 23:09:43 26-08-04
Positive identification: TrojanDownloader.Win32.Small.fo
File: c:\xdldr17.exe

Suspicious Filename: Dual extensions
File: c:\nero\keygen.[www.614uc0.tk].exe

Suspicious Filename: Dual extensions
File: c:\nero\mp3pro.[www.614uc0.tk].exe

Suspicious Filename: Dual extensions
File: c:\nero\nero63115.[www.614uc0.tk].exe

Positive identification (DLL): Adware.NavExcel (dll)
File: c:\program files\navexcel\navhelper\v2.0.4b\nhelper.dll

Positive identification: TrojanDownloader.Win32.Agent.ae
File: c:\system volume information\_restore{1450a557-4027-4f57-affc-65b5f7afb22a}\rp49\a0009925.exe

Positive identification: Trojan.Win32.Qhost.d
File: c:\system volume information\_restore{1450a557-4027-4f57-affc-65b5f7afb22a}\rp49\a0009926.exe

Positive identification: TrojanSpy.Win32.Conspy.g
File: c:\system volume information\_restore{1450a557-4027-4f57-affc-65b5f7afb22a}\rp49\a0009927.exe

Positive identification: TrojanDownloader.Win32.Small.fo
File: c:\windows\system32\xdldr24.exe

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

Hi debochel

hmmmm.... who's the naughty boy/girl then hey? LOL...

nero keygen? tut! tut! ~laughing~

OK.... some of those marked as suspicious dual extensions, are indicated because they have extra period [.] in file name.

You see, a tricky way of infiltrating your system can be thru double extensions in conjunction with excess spaces. eg: Someone sends you email, with attachment, saying take a look at this funnypic... you see funnypic.jpg, open it, and wham, the dogs of war have been unleased upon your PC, lol.

How that is done, is they have the file funnypic.jpg [lots extra spaces here] .exe or .bat, whatever. You don't see that maybe in an explorer window and only see funnypic.jpg. Understand?

Now those that mention 'restore' in the path are living in your System Restore and cannot be deleted from there. You have to turn off System Restore, reboot, scan, find/delete, turn SysRestore back on, reboot, make new restore point. BUT only after making sure your PC if fully clean otherwise, you will still have the others in restore.

Now unfortunately, it looks like you have a nasty Coolwebsearch infection with xdldr24.exe/xdldr17.exe

check out this....

http://forum.misec.net/board/Trojans/1088666461

nhelper.dll is related to Browser Hijacking...

see here: http://www.2-spyware.com/file-nhelper-dll.html

and here more info... definitely bad.

http://computercops.biz/postp254656.html

Unfortunately I cannot help with those at all...

As if you delete the CWS one, in the first link, you will see what that person had trouble with. It cannot just be deleted, must be done in certain order.

I will try to get back to you later, at the moment as in right now, I am late for work, so must run.

Sorry to leave you dangling, but hopefully someone else can step in here and help in meantime.

Cheers, TAS

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

Hi again debochel..

First, I wish to thank "snapdragin" who did some 'legwork' for me while I was at work and gave me the info on this lot.

NavExcel (the CLSID C1E58A84-95B3-4630-B8C2-D06B77B7A0FC for BHO (nhelper.dll) is included IN SpywareBlaster's database, which would have prevented infection. Might pay you to get that for protection later on. It's free.

AdAwareSE & Spybot S&D should have been able to remove it, please make sure you are using the current new versions of both AND updated. Spybot v 1.3 and AdAware SE version 1.03

You can also try uninstalling the NavExcel through the Add/Remove programs first, then use AdAwareSE or Spybot S&D to clean up any remnants of it.

But here's a link for it at doxdesk:
http://www.doxdesk.com/parasite/NavExcel.html

The other two files: xdldr17.exe, xdldr24.exe

Probably best to go to: http://a-sap.org/
and post a Hijackthis log for analysis by one of the Spyware Experts at one of the forum links because a HijackThis scan may [probably will] show more.

One more thing. System Restore....

Get your system clean first before turning it off.

The reason for that is it is better to have some kind of restore point to go back to in case anything should go terribly wrong (like user deletes wrong files or possible false/positives and corrupts system).

A restore point (with infections and all) is still better to go back to than a reformat. You can always have another go at cleaning your system of the malware files again, but at least you will have a system to clean.

The files in System Restore will not hurt anything. They will only reinfect the system again if you restore. But once your system is clean and stable, then you can turn off system restore ---> reboot to clean out all the old restore points --> then turn on System Restore after the reboot and set a new restore point.

Hope this helps and thanks again to snap for extra info, saved me researching.

Cheers, TAS

 

I guess I owe you both a(nother) big thanyou..... Cheers guys.... I'll be on with that in the morning... I'll let you know how I get on..... Nice. - J

 

Re: Totally disturbed at my computer.... dont have any idea whats going on...plz help

Once you are all clean, you may want to take a look here for further discussion on security:

https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

and here for more:

https://www.wilderssecurity.com/showthread.php?t=43117

Hope this helps…

Cheers