jbirdie1

a few weeks ago i got several cookies that were reported - by ewido - as keyloggers, i run ewido several times per day so i wasnt too worried. then 3 days ago i got 2 different rootkits and couldnt get of them, i finally removed their permissions in the registry and that stopped them but they had already done damage, so i had to format...no biggie when i want to format but when its dictated by some wanker...i really get frosted. i changed my lan addys in my router and felt pretty safe until tonite. i had 15 of these keylogger cookies in a really strange directory, same pattern as before the rootkit infestation. here is a sample of what was found and plz note the very first part. i have 2 rootkit proggies but they both say i'm ok, but this directory must be hidden ( and my options allow me to view hidden files- unless they are part of a rootkit. plz analyze and advise. i have checked servises and nothing there so i cant go to the registry. here's a sample: :mozilla.16:C:\Documents and Settings\xxxxx\Application Data\Mozilla\Firefox\Profiles\ryiqa33p.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup

i put the xxx's im cause the world dont need to know my user acct. finally usin xp home but i have the program that gives me 'security' privledges access to files. some of the other names of the spyloggers are: bridgestat, onestat, hitslink, questionmarket, and spyware.cookie.com
HELP!

koala

Please follow the instructions here and post a HJT log here so a security analyst can help you out.

btw, you still have an unresolved HJT log here

jbirdie1

they are somewhere on my system...sat when i tried to upgrade zone alarm to the latest ver, i got a d*** bsod...i just tried the same update and got a bsod. i will stay with my earlier ver of zap. now i need to find em so i can neuter em!
tkz

jbirdie1

per your request, i posted my hjt log in the hjt forun but have had no replies, so i'll notify you that it is up...overnight my zone alarm log disappeared and as i mentioned i have gotten a blue screen of death when i try to update zone alarm as well as trying to reinstall clean disk security( so i can wipe all free space), so i know they are here but services are clean and until i have a name i cant chase em in the registry. i really dont want to format again because those wankers will obviously come back...i might change my ip in my router again...but i hope to get some really cool advice on this forum...let me know plz, aloha

jbirdie1

they got me again, this time i could not launch ANY program, i got a windows configuration message, so i did a system repair and during that process i got a bsod, so i am formatting it now - i am on a machine that is not infested. any ideas how i can keep them off my system?
this time there were no apparent services - i compared what i had with what blkviper says i should have and couldnt see any extra stuff. i ran process explorer and saw some things that were strange to me but i dont know for sure they were bad so i left then alone, mostly stuff in the winSxS directory. sunday nite people were hammering zone alarm, several different ip addys, so i traced them using traceroute and most were traceable to an isp in alaska. i sent the admin a message and got a lame reply about how he would forward my request to his abuse dept but i shouldnt not expect a reply (Due to certain privacy concerns and legal restrictions, we often can not share with you the outcome of our investigation or the specific steps we take to address your concerns) - the company is named Fast Colocation. i cant absolutely prove it but i believe that is where this crap is comin from. each attempt was to a different port and from the usa, japan, china, syria, australia, and some others i cant remember now. another source is from this company SWIFT VENTURES in seattle. but all of refuse to offer any assistance...so, what can i do, my patience is wearing thin and may need to hire some script kiddies to ddos these wankers out of existance, or commit honorable hari kari? suggestions are appreciated. one last thing, is this a vulnerability in firefox or just a coincidence cause that is usually the only browser i use. this is getting long, so i'll stop for now. i amusing a generally unknown browser on a secure system , for now anyway. tkz for any help

koala

Please wait for a reply in your HJT thread. The analysts will find the cause of your problems and remove any malware. You should get a reply within 24 hours.

If you subscribe to the thread using the Thread Tools button at the top of your HJT post you will receive an email notification as soon as any replies are posted.

jbirdie1

the wankers got my other system but for now this one is clean and i am keeping it locked down from net traffic when not in limited use. on the system that just got infected, i cant launch any progs that require internet access, all local proggies run well. now i did discover this in services : the 'Computer browser' service is setup right but stopped and when i go to start it i get a msg that tells me it started then stopped...also the 'performance logs and alerts' service does the same thing. now is there any way ro regresh/restore/repair the services short of a format? i tried a system repair and that didnt solve the problem. plz offer any comments/solutions, tks for your patience, aloha

koala

Don't reformat yet. Just keep an eye on your HJT thread for a solution. Threads are answered in the order they are received, so one of the security analysts will get to you as soon as possible.