Solved virus help? [ebay login asking for personal info]

i see above that in the KASPERSKY ONLINE SCANNER REPORT it says that certain intem is locked and skipped. that dont look good does it?

 

The only thing i think it could be is my west work at home program but i dont know? I have the same program on my other computer i could look and see if i see the same thing on there. I gotta go to work I will check when i get home.

 

You can copy the following bolded command and paste it on the Start>Run line then hit Enter, then navigate on into the welc..tion_ed341256229a5208_000 2.0000_4e8e2d09922ffe09 folder and check the properties of WelcomeHome.PRODUCTION.exe
You might find Company and version info on that file.

"C:\Documents and Settings\Owner\Local Settings\Apps\2.0\3HE68H5T.BYG\47206TV7.7NQ "


Are you using Internet Explorer, or the AOL browser?
Are you using a router, and if so, have you set a new login username and password on the router?
Have you noticed any other odd behavior while using your browser?

 

I am thinking this file isnt the problem after looking into it more it looks like my west at home program and I have scanned every file and it says no threats. I do have a router and I did have to put in a password when i first set this computer up on it to be wireless. now i do live way out in the country and no one else around me can pick up my internet but i still put on a password to link up to it. the only thing that made me suspious about something wrong is the fact that my ebay and aol web mail wants me to put in personal info to sign in and thats not norm being aol it a free web mail i dont use the aol program that you have to sign into aol to get online and ebay has never dont that before. also i get a internet explore error message that says it have incountered a problem and internet explore has to shut down and it shuts down i have to open it up again. this happens everyday almost. I use ie 7 i think which ever is the latest version. i dont use aol browswer.

 

The router login info I was referring to is the username and password used to login to the router's control panel, where you set up the wireless encryption, port forwarding, etc. Just curious if you ever changed the default login credentials. Do you have the manual that came with the router? There's a new infection that is targeting routers, using the default login credentials to gain access, then making changes that will direct all traffic through the router to one of their rogue servers. Lets try a couple more things before we go any further with that though.

You might want to copy this to notepad since it will involve disconnecting from the internet. Close all browser windows, then click Start>Run, type the following command and hit Enter to open the Network Connections applet.

ncpa.cpl

Right click all active connections and select disable.
Click Start>Run, type cmd then hit Enter to open a command window.
Type or copy then paste the following command and hit Enter.

ipconfig /flushdns

You should receive a message that the DNS Resolver Cache was cleared. Close the command window.
Now open the Control Panel, then Internet Options.
Click the Programs tab, then click Reset Web Settings.
Open ATF Cleaner and Select All, then click Empty Selected.
Restart the computer, then re-enable the connection(s) and see if the behavior persists.

 

well i followed your instructions and its still wanting my personal info on those 2 sites and internet explorer is still saying it has encountered and error and needs to close. so now what. This thing is going to drive ne nuts. as for the router thing i dont know if when the people at linksys had me change the default login and password. I dont remember and I dont think I can locate my manual but I am sure I can get the manual for their web site.

 

Please navigate to the page(s) where you are getting those prompts, then copy the address(es) and paste them back here.

Then, please click the following link to a proxy server.

http://www.freeproxyserver.net/

Enter either of the next links into the Address Bar on that page then click Go.

http://www.ebay.com
http://www.aol.com

Click the Sign In button and let me know if you are prompted for more than username and password to login.

 

Both pages say this...........Internet Explorer cannot display the webpage

aol says it when i click on the mail box before i get a chance to sign in and ebay says this when i click sign on.

I will remember the web sites that the internet explorer encounters the error and post them back here.

 

My bad ........ you would probably need to use the CGI proxy on that page to allow for secure login. However, the CGI proxy is down for maintenance at the moment. YouHide seems to be working for login.

 

ok i went to you hide and aol was this when i tried...There was a problem handling your request. An unspecified error has occurred


and ebay was the same thing on asking for my personal info

 

Please login to your router's control panel and check the DNS settings. In another window or tab, go to DNS Stuff and check each DNS address in the IP Information lookup to see if it matches your locality and/or ISP.

 

I aam totally lost now ...i think i am looking at the right thing but all the DNS have 0000...oh wait i got it now

 

mine is different then 1 and 2 I am confused as to what i am looking at here.

 

Do you see any IP addresses that are labled DNS, whether Static or Automatic?

 

does it say static or automatic. because i see neither of those words on anything.

 

Without knowing the model of router you have and looking up the manual, it's hard for me to know how or where the information would be displayed. In general, it's located in the Status area (Status being a link or a tab). It should be grouped with DHCP settings, IP address configuration and possibly WINS settings. If Automatic DNS is in use, you likely won't see any ip addresses for DNS.

Is there an internet connection icon in your computer's notification area (down by the clock)? If so, right click the icon and select Status. Check the Details for DNS Server information.

 

says automatic

 

this is what it says


Firmware Version: v1.00.5 Nov. 23, 2006
Current Time: Wed, 18 Jun 2008 21:26:54
Internet MAC Address: 00:40:CA:B1:6F:31
Host Name:
Domain Name: panhandle.rr.com

--------------------------------------------------------------------------------

Internet Connection


Connection Type: Automatic Configuration - DHCP
Internet IP Address: 68.207.88.194
Subnet Mask: 255.255.252.0
Default Gateway: 68.207.88.1
DNS1: 65.32.5.111
DNS2: 65.32.5.112
DNS3:
MTU: 1500
DHCP Lease Time: 24 Hour

 

OK, those addresses resolve to a legitimate server in your area. I do see one thing odd to me, though it might be nothing. The subnet mask is 255.255.252.0 and normally it is 255.255.255.0
I'll have to do some digging to find out if that's OK, or maybe you could easily verify by contacting your ISP's tech support.

Lets dig a bit deeper and see if there's something hiding. Download GMER

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.


Is there any chance you have another computer there that you could check for the same behavior?

 

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-19 00:52:50
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 169 804E27C5 3 Bytes [ 09, CB, EE ]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E282C 12 Bytes [ D0, CF, CB, EE, 90, 15, CB, ... ]
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP EECC19C0 \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80503C29 5 Bytes JMP EECC14C0 \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[980] USER32.dll!VRipOutput + FFFA4DE7 7E412A78 2 Bytes [ D0, 11 ]
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe[980] USER32.dll!VRipOutput + FFFA4DEA 7E412A7B 1 Byte [ 30 ]
.text C:\WINDOWS\Explorer.EXE[1504] ADVAPI32.dll!CryptDestroyKey 77DEA544 7 Bytes JMP 01A62C2D
.text C:\WINDOWS\Explorer.EXE[1504] ADVAPI32.dll!CryptDecrypt 77DEA7B1 7 Bytes JMP 01A62BEA
.text C:\WINDOWS\Explorer.EXE[1504] ADVAPI32.dll!CryptEncrypt 77DF1558 7 Bytes JMP 01A62BAE
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!StrStrW + FFE28B75 7C9C5128 4 Bytes [ 70, 0B, 4A, 7E ]
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!StrStrW + FFE28B81 7C9C5134 4 Bytes [ E0, 0B, 4A, 7E ]
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!StrStrW + FFE2AA25 7C9C6FD8 4 Bytes [ C0, 0C, 4A, 7E ]
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!StrStrW + FFE2AB21 7C9C70D4 4 Bytes [ 50, 0C, E5, 01 ]
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!StrStrW + FFE2AB3D 7C9C70F0 4 Bytes [ 30, 0D, 4A, 7E ]
.text ...
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!SHFree + 11E 7C9EACF8 4 Bytes [ 60, 01, E5, 01 ]
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!ILFree + 7C 7C9EAE58 4 Bytes [ 30, 0D, E5, 01 ]
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!SHCoCreateInstance + 12E 7C9EF9F0 4 Bytes [ 50, 0C, 57, 01 ]
.text C:\WINDOWS\Explorer.EXE[1504] SHELL32.dll!ILFindChild + 80B 7C9F2534 4 Bytes [ 20, 0A, E5, 01 ]