1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Blocking of Signing into everything.

Discussion in 'Malware and Virus Removal Archive' started by Takamachi, 2010/06/08.

Page 3 of 4
  1. 2010/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, let me take a look...
     
    broni,
    #41
  2. 2010/06/09
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    Thanks. I'll be back after a while, dinner n. n
     
    Takamachi,
    #42


  3. to hide this advert.

  4. 2010/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How is accessing security sites issue right now?

    You have some Norton's leftovers.
    Please, run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

    Next...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\ezsidmv.dat
c:\windows\@desktop@.dat

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #43
  5. 2010/06/09
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    lol, well considering yahoo still isn't working, and i had to switch to safe mode to download the norton remover, i'd say not too good.
    // switching to normal to run the remover
     
    Takamachi,
    #44
  6. 2010/06/09
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    Here's the "Combofix.txt" / what about the "log.txt" that opened after i ran combofix?

    ComboFix 10-06-09.01 - Compaq_Owner 06/09/2010 21:13:42.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.382 [GMT -4:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    FILE ::
    "c:\windows\@desktop@.dat "
    "c:\windows\system32\ezsidmv.dat "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\@desktop@.dat
    c:\windows\system32\ezsidmv.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))
    .

    2010-06-09 00:58 . 2010-06-09 00:58 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
    2010-06-09 00:58 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-09 00:58 . 2010-06-09 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-09 00:58 . 2010-06-09 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-09 00:58 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-08 02:37 . 2010-06-10 01:06 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\skypePM
    2010-06-08 02:35 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-06-08 02:07 . 2010-06-08 02:07 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-06-08 02:05 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-06-08 02:05 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-06-08 01:36 . 2010-06-10 01:07 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Skype
    2010-06-08 01:36 . 2010-06-08 01:36 -------- d-----w- c:\program files\Common Files\Skype
    2010-06-08 01:36 . 2010-06-08 01:36 -------- d-----r- c:\program files\Skype
    2010-06-08 01:35 . 2010-06-08 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-06-08 01:30 . 2010-06-08 01:30 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Trillian

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-10 01:05 . 2004-10-21 10:13 -------- d-----w- c:\program files\Symantec
    2010-06-08 18:02 . 2005-07-17 03:48 -------- d-----w- c:\program files\Trillian
    2010-06-08 01:52 . 2010-02-17 07:30 -------- d--h--w- c:\program files\Blue Coat K9 Web Protection
    2010-06-07 22:48 . 2010-02-07 14:23 -------- d-----w- c:\program files\Spyware Doctor
    2010-06-07 22:48 . 2010-02-07 14:23 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-06-07 22:28 . 2008-06-13 19:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-06-02 20:17 . 2010-03-20 04:15 439816 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Real\Update\setup3.10\setup.exe
    2010-05-04 21:14 . 2010-05-04 21:14 -------- d-----w- c:\program files\Sierra Online
    2010-04-30 16:50 . 2004-08-04 12:00 34816 ----a-w- c:\windows\system32\noraunanoranorae.dll
    2010-04-20 20:57 . 2010-02-15 01:30 1 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-04-01 01:27 . 2010-01-04 03:21 37248 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-29 12:36 . 2009-09-29 12:36 18136 ----a-w- c:\program files\Common Files\ilowuh.dl
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-10-20 32881]
    "hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "UpdateManager "= "c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
    "Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
    "SiSPower "= "SiSPower.dll" [2004-09-24 49152]
    "PS2 "= "c:\windows\system32\ps2.exe" [2003-09-13 98304]
    "AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-08 57344]
    "CanonSolutionMenu "= "c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
    "CanonMyPrinter "= "c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-10-21 45056]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
    path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
    backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2004-06-30 00:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2004-06-05 02:38 286720 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
    2003-02-12 03:02 61440 ----a-w- c:\hp\KBD\kbd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-15 04:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-08-04 15:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2004-10-20 14:47 98304 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2009-08-21 06:19 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-02-14 08:50 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
    2004-10-22 19:53 53248 ----a-w- c:\windows\system32\VTTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "iPodService "=3 (0x3)
    "gusvc "=2 (0x2)
    "bckwfs "=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=

    S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys --> c:\windows\system32\drivers\bckd.sys [?]
    S4 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [12/11/2009 6:52 PM 1078632]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-10 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-21 08:46]

    2010-06-10 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]

    2010-06-09 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
    - c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 22:43]

    2010-06-09 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
    - c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 22:43]

    2010-06-09 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 20:25]

    2010-06-09 c:\windows\Tasks\ParetoLogic Update Version2.job
    - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 20:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Trusted Zone: comcast.net\www
    Trusted Zone: netzero.net\www
    FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\hw11uj8w.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
    MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\cfgwiz.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-09 21:23
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-06-09 21:26:18
    ComboFix-quarantined-files.txt 2010-06-10 01:26
    ComboFix2.txt 2010-06-09 22:44
    ComboFix3.txt 2010-06-09 22:22

    Pre-Run: 14,510,252,032 bytes free
    Post-Run: 14,498,144,256 bytes free

    - - End Of File - - D7FA2762533CDDAB1C14A521A5CCF59C
     
    Takamachi,
    #45
  7. 2010/06/09
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    Omfg, i thought i'd try yahoo again and it worked >>;
    im going to try other sites, then restart and try without running anything.
     
    Takamachi,
    #46
  8. 2010/06/09
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    yup yup. just got back from restarting and it seems that everything is workings n. n not too sure what fixed it but i'm sooo thankful to you <3
     
    Takamachi,
    #47
  9. 2010/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good news :)
    Hold on for a moment, I need to look through this whole topic.
     
    broni,
    #48
  10. 2010/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ===========================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
    broni,
    #49
  11. 2010/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    As for HiajckThis...

    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #50
  12. 2010/06/09
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    Working on the Kaspersky thing. having a few problems but i think i got it working

    // mabye not, keep getting a pop up:

    Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.

    is this step important? xP imma keep trying to get it to work.
     
    Takamachi,
    #51
  13. 2010/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Just in case, Kaspersky throws fits (it happens)...

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
    broni,
    #52
  14. 2010/06/09
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    Running ESET, taking a good bit so once it's done im going to post it. then run Hijack, post and head to bed
     
    Takamachi,
    #53
  15. 2010/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem :)
     
    broni,
    #54
  16. 2010/06/09
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    ESET's been running for an hour and it's only at 29% I'm going to head to bed, cant stay up all night waiting for this scan x. x; ill just post it when i get up. Thanks for the help today n. n
     
    Takamachi,
    #55
  17. 2010/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Not a problem :)
    I expect your computer to be pretty much clean by now...
     
    broni,
    #56
  18. 2010/06/10
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    Sorry it took so long, computer reset overnight so i had to rerun the scan :/

    C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP131\A0017049.dll a variant of Win32/Spy.Delf.OHC trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP131\A0017050.dll a variant of Win32/Spy.Delf.OHC trojan cleaned by deleting - quarantined

    Off to run Hijackthis
     
    Takamachi,
    #57
  19. 2010/06/10
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    And here's the Hijackthis.log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:44:30 PM, on 6/10/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll ",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 5563 bytes
     
    Takamachi,
    #58
  20. 2010/06/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Re-run HJT and checkmark:

    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    Click "Fix checked" button.

    When done...


    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #59
  21. 2010/06/10
    Takamachi

    Takamachi Inactive Thread Starter

    Joined:
    2010/06/08
    Messages:
    34
    Likes Received:
    0
    It seems fine. a little slow, but i'm used to my 4gb ram and 2.5ghz processor so i figured this comp should seem a bit slow for me. Thanks for all the help n. n
     
    Takamachi,
    #60
Page 3 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...