Author Topic: 6000+ files password protected  (Read 7288 times)

0 Members and 1 Guest are viewing this topic.

metalwork

  • Guest
6000+ files password protected
« on: February 12, 2004, 04:07:07 PM »
YO,
Ran complete thorough scan (new user) and the log contained just over 6000 files and or folders which were stated to be password protected and couldn't be scanned.  What's up with this? Thanks

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:6000+ files password protected
« Reply #1 on: February 12, 2004, 04:18:33 PM »
What were the file names? (a few examples, I mean)
Some programs use password-protected ZIP files as their data files (various anti-spy/adware tools, for instance)... so it's nothing exceptional.

metalwork

  • Guest
Re:6000+ files password protected
« Reply #2 on: February 12, 2004, 06:09:51 PM »
Some of the files were in NU folders.  Sorry but I don't recall the specific names.  Also, I didn't see a way to save the log so I don't think it was saved.  I'm not at that computer now.  I run Sybot SD, hijackthis, adaware and used NAV and TrendMicros AV in the past.  There were ALOT of files!

Google and Altavista searches have been redirected on my computer and I'm frantically trying to fix the problem.  I feel violated and unable to retaliate.  It sounds like I have a trojan-host virus of some sort or a hijacking of some sort is going on.  

Forums are a great tool.  Thanks for replying.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:6000+ files password protected
« Reply #3 on: February 12, 2004, 06:58:30 PM »
NU... like Norton Utility? Norton Cleansweep keeps its database as a password protected ZIP, for example.

What exactly do you mean - google was redirected?

metalwork

  • Guest
Re:6000+ files password protected
« Reply #4 on: February 12, 2004, 07:11:42 PM »
When I type google.com I don't get to google.com but to a screen with a message "if you meant to go to google.com click here."  Then a few popup ads show up and I can either accept or cancel going to sites to download  software utilities for blocking popups.  I always cancel.

I'll have to run another scan and get specific files.

Tipton

  • Guest
Re:6000+ files password protected
« Reply #5 on: February 12, 2004, 07:49:01 PM »
When I type google.com I don't get to google.com but to a screen with a message "if you meant to go to google.com click here."  Then a few popup ads show up and I can either accept or cancel going to sites to download  software utilities for blocking popups.  I always cancel.

I'll have to run another scan and get specific files.

It sounds like you have a browser hi-jacking, or some other form of spyware on your system. You should run a scan with a spyware removing utility.

Douglas
« Last Edit: February 12, 2004, 07:50:08 PM by Tipton »

Firstc520

  • Guest
Re:6000+ files password protected
« Reply #6 on: February 13, 2004, 04:15:30 AM »
Metalwork, did you get the browser Hijacking fixed if not.  please post your log on here. I will check it out and give ya a hand.  just the log though, please do not post the startup file..lol   most current version of HJT is 1.97.7

First_c

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:6000+ files password protected
« Reply #7 on: February 13, 2004, 09:24:25 AM »
metalwork, if you want to try to fix it manually, open regedit and take a look at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

The ordinary prefixes should look like
www : http://
ftp : ftp://

etc. The default prefix should be http://
You may found the redirector there...

metalwork

  • Guest
Re:6000+ files password protected
« Reply #8 on: February 13, 2004, 01:03:15 PM »
Thanks you guys.  I'll post the log tonight, I'm at my machine at work now.  No it's not fixed.
I have the log posted at other forums with no responses so it doesn't look good.

metalwork

  • Guest
Re:6000+ files password protected
« Reply #9 on: February 14, 2004, 01:07:40 AM »
Logfile of HijackThis v1.97.7
Scan saved at 7:02:28 PM, on 2/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\ScanPanel\ScnPanel.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37569.6194212963
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23CDF299-0361-4B52-9075-9D9221D2CD79}: NameServer = 207.251.201.10 207.251.201.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{23CDF299-0361-4B52-9075-9D9221D2CD79}: NameServer = 207.251.201.10 207.251.201.11


metalwork

  • Guest
Re:6000+ files password protected
« Reply #10 on: February 14, 2004, 01:23:12 AM »
Igor,
This is what I find
Default prefix    htp://

Prefixes
(Default)     (value  not set)
ftp               ftp://
gopher        gopher://
home          http://
mosaic        http://
www           http://

What is this gopher?  Any advice?
Thanks


metalwork

  • Guest
Re:6000+ files password protected
« Reply #11 on: February 14, 2004, 01:37:58 AM »
Whatever the problem it is apparently now fixed!  I can now go directly to google and alta vista.  I don't know what  was fixed, though.  Adaware found something last night but I don't think that had anything to do with this problem.  Thanks for your time.  Any advice on how to learn  more about spyware and virii?