Adware, Trojans, etc. I need help with - Hijack This Log included

View previous topic View next topic Go down

Solved Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Sun Dec 28, 2008 6:56 am

My niece wanted me to take her laptop on to see if I could do anything with it. From what she told me, it seemed like it's spyware and such...redirecting, homepage hijacked. She said even when she would do a google search and go to one of the results that it wouldn't be the page she was looking for (sounded like redirecting).

Well, the first thing I did was open up the internet browser and it was on some about:blank homepage. I was able to go to a few websites that I tried to go to, but did get some popup or extra browser window that wouldn't close titled "Contextual Ads".

Windows Security was prompting me to update and restart, so I did that. I also updated AVG and it found a couple of Trojan horses called SHeur2.GIF and Trojanhorse Downloader.Generic8.HTG

I also downloaded Super Anti-Spyware and it found several Adwares and a few trojans including Trojan.Vundo and Trojan DNSChanger-Codec, Rogue.Component/Trace, among several other things and fixed them.

I also ran Malwarebytes and fixed what it found.

Anyway, I also downloaded HiJack This and the log is below. Is there anything in it that needs to be fixed?

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:38 AM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {3AA95AAE-E4EC-460E-8842-B24E3847C8B5} - C:\WINDOWS\system32\ddcCSjiI.dll (file missing)
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [628009724] "C:\Documents and Settings\All Users\Application Data\1468717278\628009724.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: rinwfm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6956 bytes


Thanks in advance!

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by Belahzur on Sun Dec 28, 2008 1:21 pm

Hello.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {3AA95AAE-E4EC-460E-8842-B24E3847C8B5} - C:\WINDOWS\system32\ddcCSjiI.dll (file missing)
    O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
    O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
    O4 - HKLM\..\Run: [628009724] "C:\Documents and Settings\All Users\Application Data\1468717278\628009724.exe"
    O20 - AppInit_DLLs: rinwfm.dll


  • Press "Fix Checked"
  • Close Hijack This.


Delete this folder in bold:
C:\Program Files\alot

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Sun Dec 28, 2008 7:55 pm

OK, I had already ran Malwarebytes and fixed what it found. I also updated Java. Now, I have fixed what you said to on HiJack This.

I also ran Malwarebytes again and the log is below:

Malwarebytes' Anti-Malware 1.31
Database version: 1563
Windows 5.1.2600 Service Pack 3

12/28/2008 1:51:34 PM
mbam-log-2008-12-28 (13-51-34).txt

Scan type: Quick Scan
Objects scanned: 51066
Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\grandpack (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\GrandPack (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\user\Local Settings\Temp\ismbar2.exe (Adware.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\GrandPack\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Last edited by LadySmith on Sun Dec 28, 2008 8:15 pm; edited 1 time in total

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Sun Dec 28, 2008 8:12 pm

Just in case you need it, here's another HJT log as well:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:46 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5921 bytes

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by Belahzur on Sun Dec 28, 2008 9:18 pm

Lets see if any of the vundo remains.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 5:51 pm

Here's the ComboFix.txt:

ComboFix 08-12-28.04 - user 2008-12-29 11:43:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.155 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\Google\T-Scan
c:\documents and settings\user\Application Data\Google\T-Scan\n.gif
c:\documents and settings\user\Application Data\Google\T-Scan\t.gif
c:\documents and settings\user\Application Data\Google\T-Scan\y.gif
c:\windows\system32\_000111_.tmp.dll
c:\windows\system32\IijSCcdd.ini
c:\windows\system32\IijSCcdd.ini2
c:\windows\Tasks\jngtsbnz.job
c:\windows\wiaserviv.log

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-29 11:37 . 2008-12-29 11:37 d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-28 13:40 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 13:40 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-28 13:39 . 2008-12-28 13:40 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 02:31 . 2008-12-28 02:31 d-------- c:\program files\Java
2008-12-28 02:31 . 2008-12-28 02:31 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-28 02:31 . 2008-12-28 02:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-28 01:31 . 2008-12-28 02:07 d-------- c:\documents and settings\user\.SunDownloadManager
2008-12-28 01:17 . 2008-12-28 01:17 0 --a------ c:\windows\nsreg.dat
2008-12-27 22:34 . 2008-12-27 22:34 33,832 --a------ c:\windows\system32\xjrkzjvc.exe
2008-12-27 22:34 . 2008-12-27 22:34 127 --a------ c:\windows\system32\MRT.INI
2008-12-27 22:12 . 2008-10-16 14:38 6,066,176 --a------ c:\windows\system32\SETB7.tmp
2008-12-27 22:12 . 2008-10-16 14:38 1,160,192 --a------ c:\windows\system32\SETA9.tmp
2008-12-27 22:12 . 2008-10-16 14:38 826,368 --a------ c:\windows\system32\SETA7.tmp
2008-12-27 22:12 . 2008-10-16 14:38 477,696 --a------ c:\windows\system32\SETAF.tmp
2008-12-27 22:12 . 2008-10-16 14:38 459,264 --a------ c:\windows\system32\SETB1.tmp
2008-12-27 22:12 . 2008-10-16 14:38 383,488 --a------ c:\windows\system32\SETB9.tmp
2008-12-27 22:12 . 2008-10-16 14:38 267,776 --a------ c:\windows\system32\SETB5.tmp
2008-12-27 22:12 . 2008-10-16 14:38 233,472 --a------ c:\windows\system32\SETA8.tmp
2008-12-27 22:12 . 2008-10-16 14:38 124,928 --a------ c:\windows\system32\SETC1.tmp
2008-12-27 22:12 . 2008-10-16 14:38 105,984 --a------ c:\windows\system32\SETAA.tmp
2008-12-27 22:12 . 2008-10-16 14:38 63,488 --a------ c:\windows\system32\SETBE.tmp
2008-12-27 22:12 . 2008-10-16 14:38 52,224 --a------ c:\windows\system32\SETB0.tmp
2008-12-27 22:11 . 2008-12-13 00:40 3,593,216 --a------ c:\windows\system32\SETA3.tmp
2008-12-27 22:03 . 2008-12-28 02:48 d-------- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2008-12-27 22:03 . 2008-12-27 22:03 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-27 21:58 . 2008-12-27 21:58 d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-27 21:57 . 2008-12-27 21:57 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 12:00 . 2008-12-08 12:00 d-------- c:\windows\system32\config\systemprofile\Application Data\alot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 09:53 --------- d-----w c:\documents and settings\user\Application Data\LimeWire
2008-12-13 14:07 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-11 19:02 --------- d-----w c:\program files\Google
2008-11-17 21:39 --------- d-----w c:\documents and settings\user\Application Data\Twain
2008-11-17 02:06 --------- d-----w c:\documents and settings\user\Application Data\HP
2008-11-17 02:01 --------- d-----w c:\documents and settings\LocalService\Application Data\HP
2008-11-17 01:42 --------- d-----w c:\program files\HP
2008-11-17 01:42 --------- d-----w c:\program files\Hewlett-Packard
2008-11-17 01:42 --------- d-----w c:\program files\Common Files\HP
2008-11-12 04:18 --------- d-----w c:\program files\LimeWire
2008-11-01 23:48 --------- d-----w c:\documents and settings\user\Application Data\alot
2008-10-28 21:43 --------- d-----w c:\documents and settings\user\Application Data\MySpace
2008-10-28 21:42 --------- d-----w c:\program files\MySpace
2008-03-14 03:42 13,195 ----a-w c:\documents and settings\user\ZGUICFG.DAT
2008-03-08 17:26 13,195 ----a-w c:\documents and settings\user\ZGUICFGW.DAT
2008-01-21 04:02 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 868352]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\user\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2008-10-16 1746224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-09-24 00:08 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-04-17 17:27 9117696 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-28 02:31 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-10-19 21:18 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2008-01-15 3456]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-10 14336]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-10-16 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-10-16 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-10-16 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-10-16 59776]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-12-29 11:48:47 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-12-29 17:48:44

Pre-Run: 50,830,643,200 bytes free
Post-Run: 51,028,074,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

170 --- E O F --- 2008-12-28 06:22:58

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by Belahzur on Mon Dec 29, 2008 5:57 pm

Hello.
CF log says winlogon is infected, so we need to find out if it really is infected.

Locate this file below in bold:
c:\windows\system32\winlogon.exe
Upload it to this site for a scan.
[You must be registered and logged in to see this link.]
Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 6:38 pm

Ok, I ran it through the online scanner (that is awesome btw...going through all of those scanners! Thanks for that website!). Here are the results:
Service load: 0% 100%

File: winlogon.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: ed0ef0a136dec83df69f04118870003e
Packers detected: -
re are the results:


Scanner results
Scan taken on 29 Dec 2008 18:33:39 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by Belahzur on Mon Dec 29, 2008 6:47 pm

Hello.
I see Limewire installed on this system.
Limewire is one of the biggest P2P programs out there, and is a malware writers favourite playground. Chances are you will be instantly infected by anything downloaded from Limewire.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Limewire


Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\xjrkzjvc.exe
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETA9.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETA3.tmp

Folder::
c:\windows\system32\config\systemprofile\Application Data\alot
c:\documents and settings\user\Application Data\Twain
c:\documents and settings\user\Application Data\LimeWire
c:\program files\LimeWire

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 7:32 pm

Ok, I removed the Limewire and did what you said. I've told her that Limewire is bad for things like that, but she said that she just uses it from time to time and closes it out as soon as she's done. She'll probably end up putting it back on there. :sigh:

Anyway, here's the log. I'll have to break it up because it keeps telling me that the message is too big.

ComboFix 08-12-28.04 - user 2008-12-29 13:19:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.145 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\SETA3.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETA9.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\xjrkzjvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\LimeWire
c:\documents and settings\user\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\user\Application Data\LimeWire\createtimes.cache
c:\documents and settings\user\Application Data\LimeWire\downloads.dat
c:\documents and settings\user\Application Data\LimeWire\fileurns.bak
c:\documents and settings\user\Application Data\LimeWire\fileurns.cache
c:\documents and settings\user\Application Data\LimeWire\filters.props
c:\documents and settings\user\Application Data\LimeWire\gnutella.net
c:\documents and settings\user\Application Data\LimeWire\installation.props
c:\documents and settings\user\Application Data\LimeWire\library.dat
c:\documents and settings\user\Application Data\LimeWire\limewire.props
c:\documents and settings\user\Application Data\LimeWire\mojito.props
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\user\Application Data\LimeWire\questions.props
c:\documents and settings\user\Application Data\LimeWire\responses.cache
c:\documents and settings\user\Application Data\LimeWire\simpp.xml
c:\documents and settings\user\Application Data\LimeWire\spam.dat
c:\documents and settings\user\Application Data\LimeWire\tables.props
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\ttrees.cache
c:\documents and settings\user\Application Data\LimeWire\ttroot.cache
c:\documents and settings\user\Application Data\LimeWire\version.xml
c:\documents and settings\user\Application Data\LimeWire\versions.props
c:\documents and settings\user\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\user\Application Data\Twain
c:\windows\system32\config\systemprofile\Application Data\alot
c:\windows\system32\SETA3.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETA9.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\xjrkzjvc.exe

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 7:33 pm

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-29 12:23 . 2008-12-29 12:25 d-------- c:\windows\system32\drivers\Avg
2008-12-29 12:23 . 2008-12-29 12:23 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-29 12:23 . 2008-12-29 12:23 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-29 12:23 . 2008-12-29 12:23 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-29 12:22 . 2008-12-29 12:22 d-------- c:\program files\AVG
2008-12-29 12:22 . 2008-12-29 13:11 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 13:40 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 13:40 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-28 13:39 . 2008-12-28 13:40 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 02:31 . 2008-12-28 02:31 d-------- c:\program files\Java
2008-12-28 02:31 . 2008-12-28 02:31 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-28 02:31 . 2008-12-28 02:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-28 01:31 . 2008-12-28 02:07 d-------- c:\documents and settings\user\.SunDownloadManager
2008-12-28 01:17 . 2008-12-28 01:17 0 --a------ c:\windows\nsreg.dat
2008-12-27 22:34 . 2008-12-27 22:34 127 --a------ c:\windows\system32\MRT.INI
2008-12-27 22:03 . 2008-12-28 02:48 d-------- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2008-12-27 22:03 . 2008-12-27 22:03 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-27 21:58 . 2008-12-27 21:58 d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-27 21:57 . 2008-12-27 21:57 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 22:28 47,578 ----a-w c:\windows\system32\fglyjgpntkyvmnb.exe
2008-12-13 14:07 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-11 19:02 --------- d-----w c:\program files\Google
2008-12-05 23:48 53,942 ----a-w c:\windows\system32\cont_adsoftinc-remove.exe
2008-11-30 18:24 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-17 09:21 3,416 ----a-w c:\windows\system32\PerfStringBackup.TMP
2008-11-17 02:06 --------- d-----w c:\documents and settings\user\Application Data\HP
2008-11-17 02:01 --------- d-----w c:\documents and settings\LocalService\Application Data\HP
2008-11-17 01:42 --------- d-----w c:\program files\HP
2008-11-17 01:42 --------- d-----w c:\program files\Hewlett-Packard
2008-11-17 01:42 --------- d-----w c:\program files\Common Files\HP
2008-11-01 23:48 --------- d-----w c:\documents and settings\user\Application Data\alot
2008-10-28 21:43 --------- d-----w c:\documents and settings\user\Application Data\MySpace
2008-10-28 21:42 --------- d-----w c:\program files\MySpace
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\SET95.tmp
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-03-14 03:42 13,195 ----a-w c:\documents and settings\user\ZGUICFG.DAT
2008-03-08 17:26 13,195 ----a-w c:\documents and settings\user\ZGUICFGW.DAT
2008-01-21 04:02 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-29 18:23:16 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-12-29 19:06:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_344.dat
+ 2006-12-02 04:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 04:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 04:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 04:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 06:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 06:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 06:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 06:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 06:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 06:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 06:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 06:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 06:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 06:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 06:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^VZAccess Manager.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\VZAccess Manager.lnk
backup=c:\windows\pss\VZAccess Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-29 12:22 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-09-24 00:08 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-04-17 17:27 9117696 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-06-27 02:21 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-28 02:31 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-10-19 21:18 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2008-01-15 3456]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-29 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-29 76040]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-10 14336]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-29 875288]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-29 231704]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-10-16 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-10-16 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-10-16 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-10-16 59776]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-29 13:21:33
ComboFix-quarantined-files.txt 2008-12-29 19:21:31

Pre-Run: 50,973,061,120 bytes free
Post-Run: 51,046,244,352 bytes free

254 --- E O F --- 2008-12-28 06:22:58

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by Belahzur on Mon Dec 29, 2008 7:36 pm

Hello.
There are two files leftover that might have been missed.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\windows\system32\fglyjgpntkyvmnb.exe
    c:\windows\system32\SET95.tmp

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 7:53 pm

OK, I did the OTMoveIt, but when I tried to copy the Results window, all I got was a ding and the OTMoveIt program window was not active. Then, behind it, I noticed a message about rebooting system. Now, that it's rebooted, the OTMoveIt program on the desktop is not showing the icon. It's just showing that blue and white program icon thingy. I've tried to click on it but get nothing.

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 7:55 pm

OK, I think I found the log at C:\OTMoveIt\MovedFiles

Here it is:
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\system32\fglyjgpntkyvmnb.exe moved successfully.
c:\windows\system32\SET95.tmp moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\Perflib_Perfdata_35c.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\Perflib_Perfdata_c88.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_344.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12292008_134157

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by Belahzur on Mon Dec 29, 2008 7:58 pm

I'm actually surprised that worked.
AVG8 doesn't like OTMoveIt, but AVG7 has no problems.

Please delete these two folders now:
C:\Qoobox
C:\_OTMoveIt

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 8:00 pm

Everything seems to be running great! Thanks so much!!! Hopefully it will continue to be running smoothly when I give it back to her this afternoon.

You're a lifesaver!!!! I really truly appreciate it! Thank You!

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 8:01 pm

Oh, do I uninstall the ComboFix too? If so, how?

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by Belahzur on Mon Dec 29, 2008 8:02 pm

Press Start > Run
Type in:
ComboFix /u <== note the space between x and /
Press enter.

This will start the uninstall.
====

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by LadySmith on Mon Dec 29, 2008 8:11 pm

Thanks so much! Before I give the laptop back to her, I will download FireFox (which is what I use as well) and one of the anti-spyware programs and a firewall.

Thank you! Thank you!!! Thank You!

LadySmith
Intermediate
Intermediate

Posts Posts : 110
Joined Joined : 2008-12-04
OS OS : Windows XP
Points Points : 29530
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Adware, Trojans, etc. I need help with - Hijack This Log included

Post by Doctor Inferno on Sat Feb 14, 2009 3:55 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104594
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum