PDA

View Full Version : Should I be concerned?


chobits743
07-12-08, 14:33
Ok, so I have been using facebook for a couple of months now. Last night when I got on to check some things, one of my friends had posted that my pic was on a website (some weird thing...) Being the clueless person I am, I followed the link to some stupid thing and put my full name, email, and the full name of the friend who posted it in some form. I got some stupid little pic, so I thought he was playing a joke on me, and I closed out of the website. When I went to check my facebook this morning, I had 4 replies from friends where I had apparently referred them to a weird website where their picture was. :confused: Have I been hijacked by a weird phisher? I told all my friends to not open it, but im afraid some have already. I havent had any weird activity with my laptop, but I dont want to expose anybody else like I was exposed.

irjudd
07-12-08, 14:50
You should be worried that you can't trust yourself not to give out your personal information.

Expect to get lots of spam if you haven't already.

Feather Duster
07-12-08, 16:18
Of course you should! You gave out personal info to some website. Frankly, if something bad happens to your laptop, it's your fault!

chobits743
07-12-08, 18:01
Ok, look I just checked everything, nothing is wrong. I made a stupid move, so what?! It was from a close friend of mine, so I naturally opened it, thinking it was something silly from him.:mad: It was not from some random person or random ISP or any of that crap. He must have opened something by mistake and it got him. I guess since I dont have an issue you can close the thread then. thanks...

EscondeR
07-12-08, 20:34
Keep us informed anyway.

Run ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) just in case and post the report.

Betal
07-12-08, 21:15
I had the same kind of problem once.

I got a MSN message from a friend saying:

''Look at these pictures from my vacation''

And my friend is Swedish but the message was in English. But I looked anyway <.< ... So I got a virus and all my friends got the same message but from my MSN. Really annoying. Some people really need to get a life. :@

TRfan23
07-12-08, 21:21
Request Deletion.

chobits743
07-12-08, 21:24
Oh well. I saw facebook as secure, and I thought my best friend was sending me a funny pic of me, since he did that when we were in school together. It might be a worm going around, so I think im going to reinstall spybot instead of spywareblaster and do a full scan to make sure there arent any bugs crawling around. I already notified the people the phisher or whatnot messaged, and they seemed a little freaked, but ok with it. I keep checking my mail, and nothing suspicious is coming in, not even any weird spam or gimmicks.

Yeh someone hacked my msn account once, was really ****ed off. As someone sent me a site to enter my details to access msn from a webrowser, don't know why I did it. Just asked for e-mail plus pass, at times I was automatically signed out from msn. But I then decided to change my msn pass, was fine after :)

Yeah, im definitely changing my facebook pass, and I might try to convince the others to do it too. I know some of them visited the site, so they might want to also.

lararoxs
07-12-08, 22:32
There's quite a few incidents like this going around social websites such as bebo and facebook, they dont neccissarily give you a virus, but access personal info.

chobits743
07-12-08, 22:35
There's quite a few incidents like this going around social websites such as bebo and facebook, they dont neccissarily give you a virus, but access personal info.

yeah, that`s what I heard. I changed my password to something more difficult, and sent my friends messages so that they would know what was going on and warned them to change their passwords if they got on the listed website.

lararoxs
07-12-08, 22:37
:tmb: You're on the right track but I would still check for signs of a virus like Alex suggested:)

Keep us informed anyway.

Run ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) just in case and post the report.

chobits743
07-12-08, 22:56
Ok, here is my ARDiag report:

Copy the following text and paste it to your report AS IS!!!

---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
N/A
Publisher:
"(Verified) Lavasoft AB"
Entry path:
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
Entry name:
lsdelete
Program path & name:
"c:\windows\system32\lsdelete.exe"
Enabled: [V]


Program:
"Protects your computer from spyware"
Publisher:
"(Verified) Lavasoft AB"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
aawservice
Program path & name:
"c:\program files\lavasoft\ad-aware\aawservice.exe"
Enabled: [V]


Program:
"AVG E-Mail Scanner"
Publisher:
"(Verified) AVG Technologies"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
avg8emc
Program path & name:
"c:\program files\avg\avg8\avgemc.exe"
Enabled: [V]


Program:
"AVG Watchdog Service"
Publisher:
"(Verified) AVG Technologies"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
avg8wd
Program path & name:
"c:\program files\avg\avg8\avgwdsvc.exe"
Enabled: [V]


Program:
"You can't stop this service
Publisher:
if you want to keep ConfigFree functionality fine."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ConfigFree Service
Program path & name:
"(Not verified) TOSHIBA CORPORATION""c:\program files\toshiba\configfree\cfsvcs.exe"
Enabled: [ ]


Program:
N/A
Publisher:
"(Verified) TOSHIBA AMERICA INFORMATION SYSTEMS INC."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
pinger
Program path & name:
"c:\toshiba\ivp\ism\pinger.exe"
Enabled: [ ]


Program:
N/A
Publisher:
"(Verified) TOSHIBA AMERICA INFORMATION SYSTEMS INC."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Swupdtmr
Program path & name:
"c:\toshiba\ivp\swupdate\swupdtmr.exe"
Enabled: [ ]


Program:
"TOSHIBA Navi Support Service"
Publisher:
"(Verified) TOSHIBA CORPORATION"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
TNaviSrv
Program path & name:
"c:\program files\toshiba\toshiba dvd player\tnavisrv.exe"
Enabled: [ ]


Program:
"TDCSrv Application"
Publisher:
"(Verified) TOSHIBA CORPORATION"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
TODDSrv
Program path & name:
"c:\windows\system32\toddsrv.exe"
Enabled: [ ]


Program:
"TOSHIBA Power Saver manages power saving settings supported by TOSHIBA. These settings will not work if the service has stopped."
Publisher:
"(Verified) TOSHIBA CORPORATION"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
TosCoSrv
Program path & name:
"c:\program files\toshiba\power saver\toscosrv.exe"
Enabled: [ ]


Program:
"TosIPCSrv.exe"
Publisher:
"(Not verified) TOSHIBA Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
TOSHIBA SMART Log Service
Program path & name:
"c:\program files\toshiba\smartlogservice\tosipcsrv.exe"
Enabled: [ ]


Program:
"ULCDRSvr"
Publisher:
"(Not verified) Ulead Systems Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
UleadBurningHelper
Program path & name:
"c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe"
Enabled: [V]


Program:
"Monitors internet traffic and generates alerts for disallowed access."
Publisher:
"(Verified) Check Point Software Technologies Ltd."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
vsmon
Program path & name:
"c:\windows\system32\zonelabs\vsmon.exe"
Enabled: [V]


Program:
"AVG AVI Loader Driver"
Publisher:
"(Verified) AVG Technologies"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AvgLdx86
Program path & name:
"c:\windows\system32\drivers\avgldx86.sys"
Enabled: [V]


Program:
"AVG Firewall driver"
Publisher:
"(Verified) AVG Technologies"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AvgWfpX
Program path & name:
"c:\windows\system32\drivers\avgwfpx.sys"
Enabled: [V]


Program:
"CD/DVD Class Filter Driver"
Publisher:
"(Verified) GEAR Software Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
GEARAspiWDM
Program path & name:
"c:\windows\system32\drivers\gearaspiwdm.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Inspect
Program path & name:
File not found: system32\DRIVERS\inspect.sys"
Enabled: [V]


Program:
"Realtek 8101E/8168/8169 NDIS6 32-bit Driver "
Publisher:
"(Not verified) Realtek Corporation "
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
RTL8169
Program path & name:
"c:\windows\system32\drivers\rtlh86.sys"
Enabled: [V]


Program:
"tifm21.sys"
Publisher:
"(Not verified) Texas Instruments"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
tifm21
Program path & name:
"c:\windows\system32\drivers\tifm21.sys"
Enabled: [ ]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
vsdatant
Program path & name:
File not found: System32\drivers\vsdatant.sys"
Enabled: [V]


Program:
"AVG Resident Shield Starter"
Publisher:
"(Verified) AVG Technologies"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
avgrsstx.dll
Program path & name:
"c:\windows\system32\avgrsstx.dll"
Enabled: [V]


Program:
"SmoothView"
Publisher:
"(Verified) TOSHIBA CORPORATION"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SmoothView
Program path & name:
"c:\program files\toshiba\smoothview\smoothview.exe"
Enabled: [V]


Program:
"Catalyst® Control Center Launcher"
Publisher:
"(Not verified) Advanced Micro Devices Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
StartCCC
Program path & name:
"c:\program files\ati technologies\ati.ace\core-static\clistart.exe"
Enabled: [V]


Program:
"ZoneAlarm Client"
Publisher:
"(Verified) Check Point Software Technologies Ltd."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
ZoneAlarm Client
Program path & name:
"c:\program files\zone labs\zonealarm\zlclient.exe"
Enabled: [V]


Program:
"TOSHIBA Flash Cards"
Publisher:
"(Not verified) TOSHIBA Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
00TCrdMain
Program path & name:
"c:\program files\toshiba\flashcards\tcrdmain.exe"
Enabled: [ ]


Program:
"ConfigFree(TM) Task tray menu"
Publisher:
"(Not verified) TOSHIBA CORPORATION"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
NDSTray.exe
Program path & name:
"C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe"
Enabled: [ ]


Program:
"Catalyst® Control Center Launcher"
Publisher:
"(Not verified) Advanced Micro Devices Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
StartCCC
Program path & name:
"c:\program files\ati technologies\ati.ace\core-static\clistart.exe"
Enabled: [ ]


Program:
"TOSHIBA Power Saver"
Publisher:
"(Verified) TOSHIBA CORPORATION"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
TPwrMain
Program path & name:
"c:\program files\toshiba\power saver\tpwrmain.exe"
Enabled: [ ]


Program:
"Safe Search pluggable protocol"
Publisher:
"(Verified) AVG Technologies"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
linkscanner
Program path & name:
"c:\program files\avg\avg8\avgpp.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
RocketDock
Program path & name:
c:\program files\rocketdock\rocketdock.exe"
Enabled: [V]


Program:
"En-us"
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
toscdspd
Program path & name:
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe"
Enabled: [V]


Program:
"LtMoh MFC Application"
Publisher:
"(Not verified) Agere Systems"
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
LtMoh
Program path & name:
"c:\program files\ltmoh\ltmoh.exe"
Enabled: [ ]


Program:
"En-us"
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
TOSCDSPD
Program path & name:
c:\program files\toshiba\toscdspd\toscdspd.exe"
Enabled: [ ]


Program:
"Glary Utilities Initialize"
Publisher:
"(Verified) Glarysoft Ltd"
Entry path:
Task Scheduler
Entry name:
GlaryInitialize.job
Program path & name:
"c:\program files\glary utilities\initialize.exe"
Enabled: [V]


Program:
"Adobe PDF Helper for Internet Explorer"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Adobe PDF Reader Link Helper
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll"
Enabled: [V]


Program:
"Flashget CatchUrl Module"
Publisher:
"(Not verified) www.flashget.com"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
FGCatchUrl
Program path & name:
"c:\program files\flashget\jccatch.dll"
Enabled: [V]


Program:
"Safe Search for Internet Explorer"
Publisher:
"(Verified) AVG Technologies"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
AVG Safe Search
Program path & name:
"c:\program files\avg\avg8\avgssie.dll"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
SSVHelper Class
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\ssv.dll"
Enabled: [V]


Program:
"Flashget GetFlash Module"
Publisher:
"(Not verified) www.flashget.com"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
FlashGet GetFlash Class
Program path & name:
"c:\program files\flashget\getflash.dll"
Enabled: [V]


Program:
"Context Menu Handler"
Publisher:
"(Verified) Glarysoft Ltd"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Glary Utilities Context Menu Shell Extension
Program path & name:
"c:\program files\glary utilities\contexthandler.dll"
Enabled: [V]


Program:
"AVG Shell Extension"
Publisher:
"(Verified) AVG Technologies"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
AVG8 Shell Extension
Program path & name:
"c:\program files\avg\avg8\avgse.dll"
Enabled: [V]


Program:
"AMD Desktop Control Panel"
Publisher:
"(Not verified) Advanced Micro Devices Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Catalyst Context Menu extension
Program path & name:
"c:\program files\ati technologies\ati.ace\core-static\atiacmxx.dll"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
Enabled: [V]


Program:
"FlashGet"
Publisher:
"(Not verified) FlashGet.com"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Extensions
Entry name:
FlashGet
Program path & name:
"c:\program files\flashget\flashget.exe"
Enabled: [V]



EDIT: could you also help point out anything weird? I did a reformat a few months ago, and im seeing some weird stuff in the report.

EscondeR
08-12-08, 05:37
Download and run Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) and kill those entries:


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Inspect
Program path & name:
File not found: system32\DRIVERS\inspect.sys"
Enabled: [V] - Crap


Program:
"tifm21.sys"
Publisher:
"(Not verified) Texas Instruments"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
tifm21
Program path & name:
"c:\windows\system32\drivers\tifm21.sys"
Enabled: [ ] - Crap


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
vsdatant
Program path & name:
File not found: System32\drivers\vsdatant.sys"
Enabled: [V] - Dead entry


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
RocketDock
Program path & name:
c:\program files\rocketdock\rocketdock.exe"
Enabled: [V] - Consider if you really need this resource hog


It seems clear generally, so the worst you could do is adding yourself to some spam database as it was supposed here :) I recommend changing your passwords though.

Paddy
08-12-08, 06:01
I had the same kind of problem once.

I got a MSN message from a friend saying:

''Look at these pictures from my vacation''

And my friend is Swedish but the message was in English. But I looked anyway <.< ... So I got a virus and all my friends got the same message but from my MSN. Really annoying. Some people really need to get a life. :@

Yeah same with me, I get those weird messages.
Whatever you do dont accept anything following those. It is a virus.

chobits743
08-12-08, 12:18
Alright, thanks for the tips! I already changed my passwords, I can only hope the others did too.