1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved infection or internet explorer problem, cant type in search box

Discussion in 'Malware and Virus Removal Archive' started by mva5493, 2010/01/11.

Page 2 of 2
  1. 2010/01/12
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    I uninstalled combofix and ran tfc then tried to run kapersky, got an error msg that it needed java 1.5 or later to run. downloaded java 1.5 and tried to install, got an error msg saying that the installtion had be interrupted. not sure where to go next, I did disable the firewall and avira, but cyberdefender is still active and I can't disable or remove it
     
    mva5493,
    #21
  2. 2010/01/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How can you tell?

    Regarding Java...

    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
     
    broni,
    #22


  3. to hide this advert.

  4. 2010/01/12
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    under windows security center, under virus protection it says cyber defender internet security is up to date and virus scanning is on
     
    mva5493,
    #23
  5. 2010/01/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Don't worry about it. It's just listing. We'll take care of it later. Please, remind me later.
    Go ahead with the other step(s).
     
    broni,
    #24
  6. 2010/01/13
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    Could whatever is affecting this computer, also cause it not to recognize java?? I have tried to install java several times, and each time the install wizard has said it stopped and didn't install. one of the error messages said that it was unable to remove older versions of java because the folder was unavailable. So I did a search to see where the folder is, I also don't see the folder, but after searching files I have found multiple version on the machine. Kapersky doesn't recognize that java is on the machine.......any suggestions for the step?
     
    Last edited: 2010/01/13
    mva5493,
    #25
  7. 2010/01/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download, and install AVP Tool.
    After installation, leave all settings as they're, and simply click on Scan button.
    When scan is done, and any objects are found, click on Neutralize all button.
    Next, click Reports... button, then Save to file....
    Save the file to know location as report.txt.
    Open report.txt in Notepad, copy all content, and post it in your next reply.

    Post fresh HijackThis log as well.
     
    broni,
    #26
  8. 2010/01/14
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    virus removal tool report:
    <?xml version= "1.0" encoding= "windows-1251" ?>
    - <!-- AVZ XML Report
    -->
    - <AVZ Version= "4.32" LogDate= "1/14/2010 8:28:12 AM" WinDir= "C:\WINDOWS\" ProfileDir= "C:\Documents and Settings\customer" IsWow64= "False" CompHash= "3BE51A95370EFAC55316E02887F2DABC ">
    - <PROCESS>
    <ITEM PID= "1704" File= "c:\program files\avira\antivir desktop\avguard.exe" CheckResult= "0" Descr= "Antivirus On-Access Service" LegalCopyright= "Copyright © 2000 - 2009 Avira GmbH. All rights reserved." Hidden= "0" CmdLine=" "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" " Size= "185089" Attr= "rsAh" CreateDate= "1/11/2010 7:44:30 PM" ChageDate= "7/21/2009 1:34:33 PM" MD5= "B8720A787C1223492E6F319465E996CE" />
    </PROCESS>
    - <DLL>
    <ITEM File= "C:\Program Files\Avira\AntiVir Desktop\aeheur.dll" CheckResult= "-1" Descr= "AntiVir Engine Module for Windows" LegalCopyright= "Copyright © 2009 Avira GmbH. All rights reserved." UsedBy= "1704" Hidden= "0" Size= "2228599" Attr= "rsAh" CreateDate= "1/11/2010 7:44:28 PM" ChageDate= "1/11/2010 7:51:31 PM" MD5= "9C1A963D64113F3680BBD5CDBE9BCB07" />
    <ITEM File= "C:\Program Files\Avira\AntiVir Desktop\aehelp.dll" CheckResult= "-1" Descr= "AntiVir Engine Module for Windows" LegalCopyright= "Copyright © 2009 Avira GmbH. All rights reserved." UsedBy= "1704" Hidden= "0" Size= "237943" Attr= "rsAh" CreateDate= "1/11/2010 7:44:28 PM" ChageDate= "1/11/2010 7:51:16 PM" MD5= "5FFE1D0F1DB7546186086CD156D18577" />
    </DLL>
    - <KERNELOBJ>
    <ITEM File= "C:\WINDOWS\System32\Drivers\dump_atapi.sys" CheckResult= "-1" Base= "F6C6A000" MemSize= "018000" Descr=" " LegalCopyright=" " />
    <ITEM File= "C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS" CheckResult= "-1" Base= "FC9E8000" MemSize= "002000" Descr=" " LegalCopyright=" " />
    </KERNELOBJ>
    - <Service>
    <ITEM File= "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" Name= "aspnet_state" CheckResult= "-1" Type= "16" State= "1" />
    <ITEM File= "C:\Program Files\Java\jre6\bin\jqs.exe" Name= "JavaQuickStarterService" CheckResult= "-1" Type= "16" State= "1" />
    </Service>
    - <Drivers>
    <ITEM File= "Abiosdsk.sys" Name= "Abiosdsk" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "abp480n5.sys" Name= "abp480n5" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "adpu160m.sys" Name= "adpu160m" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "Aha154x.sys" Name= "Aha154x" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "aic78u2.sys" Name= "aic78u2" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "aic78xx.sys" Name= "aic78xx" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "AliIde.sys" Name= "AliIde" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "amsint.sys" Name= "amsint" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "asc.sys" Name= "asc" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "asc3350p.sys" Name= "asc3350p" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "asc3550.sys" Name= "asc3550" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "Atdisk.sys" Name= "Atdisk" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "C:\ComboFix\catchme.sys" Name= "catchme" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "cd20xrnt.sys" Name= "cd20xrnt" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "Changer.sys" Name= "Changer" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "CmdIde.sys" Name= "CmdIde" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "Cpqarray.sys" Name= "Cpqarray" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "dac960nt.sys" Name= "dac960nt" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "dpti2o.sys" Name= "dpti2o" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "hpn.sys" Name= "hpn" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "i2omgmt.sys" Name= "i2omgmt" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "i2omp.sys" Name= "i2omp" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "ini910u.sys" Name= "ini910u" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "lbrtfdc.sys" Name= "lbrtfdc" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "mraid35x.sys" Name= "mraid35x" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "PCIDump.sys" Name= "PCIDump" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "PCIIde.sys" Name= "PCIIde" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "PDCOMP.sys" Name= "PDCOMP" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "PDFRAME.sys" Name= "PDFRAME" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "PDRELI.sys" Name= "PDRELI" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "PDRFRAME.sys" Name= "PDRFRAME" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "perc2.sys" Name= "perc2" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "perc2hib.sys" Name= "perc2hib" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "ql1080.sys" Name= "ql1080" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "Ql10wnt.sys" Name= "Ql10wnt" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "ql12160.sys" Name= "ql12160" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "ql1240.sys" Name= "ql1240" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "ql1280.sys" Name= "ql1280" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "C:\WINDOWS\system32\DRIVERS\rt2870.sys" Name= "rt2870" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "Simbad.sys" Name= "Simbad" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "Sparrow.sys" Name= "Sparrow" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "sym_hi.sys" Name= "sym_hi" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "sym_u3.sys" Name= "sym_u3" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "symc810.sys" Name= "symc810" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "symc8xx.sys" Name= "symc8xx" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "TosIde.sys" Name= "TosIde" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "C:\WINDOWS\system32\drivers\klif.sys" Name= "TSP" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "ultra.sys" Name= "ultra" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "ViaIde.sys" Name= "ViaIde" CheckResult= "-1" Type= "1" State= "1" />
    <ITEM File= "WDICA.sys" Name= "WDICA" CheckResult= "-1" Type= "1" State= "1" />
    </Drivers>
    - <AUTORUN>
    <ITEM File= "C:\Program Files\Java\jre6\bin\jqs.exe" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\Application\JavaQuickStarterService" X3= "EventMessageFile" />
    <ITEM File= "C:\Program Files\Java\jre6\bin\jusched.exe" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "Software\Microsoft\Windows\CurrentVersion\Run" X3= "SunJavaUpdateSched" />
    <ITEM File= "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SOFTWARE\Microsoft\ASP.NET\2.0.50727.0" X3= "DllFullPath" />
    <ITEM File= "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\ASP.NET\Performance" X3= "Library" />
    <ITEM File= "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\ASP.NET_2.0.50727\Performance" X3= "Library" />
    <ITEM File= "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\aspnet_state\Performance" X3= "Library" />
    <ITEM File= "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\Application\ASP.NET 2.0.50727.0" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\System32\hidserv.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\HidServ\Parameters" X3= "ServiceDll" />
    <ITEM File= "C:\WINDOWS\System32\igmpv2.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\System32\ipbootp.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\System32\iprip2.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\System32\ospf.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\System32\ospfmib.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\System32\polagent.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\System32\tssdis.exe" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\system32\KB905474\wgasetup.exe" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\Application\WgaSetup" X3= "EventMessageFile" />
    <ITEM File= "C:\WINDOWS\system32\MsSip1.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1" X3= "$DLL" />
    <ITEM File= "C:\WINDOWS\system32\MsSip2.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2" X3= "$DLL" />
    <ITEM File= "C:\WINDOWS\system32\MsSip3.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3" X3= "$DLL" />
    <ITEM File= "C:\WINDOWS\system32\psxss.exe" CheckResult= "-1" Enabled= "-1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "System\CurrentControlSet\Control\Session Manager\SubSystems" X3= "Posix" />
    <ITEM File= "C:\WINDOWS\system32\stisvc.exe" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System" X3= "EventMessageFile" />
    <ITEM File= "kbd101.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" X3= "LayerDriver JPN" />
    <ITEM File= "kbd101a.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" X3= "LayerDriver KOR" />
    <ITEM File= "mvfs32.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_USERS" X2= ".DEFAULT\Control Panel\IOProcs" X3= "MVB" />
    <ITEM File= "mvfs32.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_USERS" X2= "S-1-5-19\Control Panel\IOProcs" X3= "MVB" />
    <ITEM File= "mvfs32.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_USERS" X2= "S-1-5-20\Control Panel\IOProcs" X3= "MVB" />
     
    mva5493,
    #27
  9. 2010/01/14
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    hjt log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:07:20 AM, on 1/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
    O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
    O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
    O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\customer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

    --
    End of file - 4031 bytes
     
    mva5493,
    #28
  10. 2010/01/14
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    Don't know if this is related to this machines problems or not, while using firefox, a pop up is coming up requesting to clear private data (browser history, cache, cookies, offline website data, saved passwords, authenticated sessions) with everything except saved passwords checked.
     
    mva5493,
    #29
  11. 2010/01/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're supposed to save AVZ report as report.txt. Text file, not xml file. I can't read the log.

    Please run a free online scan with the ESET Online Scanner

    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
    broni,
    #30
  12. 2010/01/14
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    log from esets:
    esets_scanner_update returned -1 esets_gle=37125
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=fbace946dde7f84e9bb41085149ff124
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-01-14 09:01:01
    # local_time=2010-01-14 04:01:01 (-0500, Eastern Standard Time)
    # country= "United States "
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 94 0 35214492 0 0
    # compatibility_mode=5377 16777214 0 5 5190566 5226398 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=31276
    # found=0
    # cleaned=0
    # scan_time=3310
     
    mva5493,
    #31
  13. 2010/01/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    - O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
    - O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
    - O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
    - O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
    - O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
    - O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\customer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    - O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #32
  14. 2010/01/14
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    new hjt log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:34:42 PM, on 1/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
    O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
    O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

    --
    End of file - 3019 bytes
     
    mva5493,
    #33
  15. 2010/01/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer is clean :)

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #34
  16. 2010/01/15
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    system restore turned off and back on, new restore points set, downloading wot, is it safe to remove all the programs used to diagnose and clean the system now (HJT, malware bytes, dds, tfc...)
     
    mva5493,
    #35
  17. 2010/01/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Keep Superantispyware and Malwarebytes. Use them to run occasional scans.
    Run TFC weekly.
    All other can go.

    How is the computer doing?
     
    broni,
    #36
  18. 2010/01/15
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    It is very slow, I assume that is because of the extra progams on it and the low memory. The owner plans a memory upgrade as soon as I tell her what the system needs, I haven't taken the time to look it up yet. I am also looking into what else I can remove from the computer that she doesn't use or need. Overall she says it is running better than it was before I did anything to it. I have noticed that even though it is still slow I am not getting the errors that were coming up before.
     
    mva5493,
    #37
  19. 2010/01/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'll mark this thread as "Resolved" then, since we don't have any security issues anymore.
    Please, feel free to open fresh topic at Windows section about computer's configuration.
     
    broni,
    #38
  20. 2010/01/15
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    okay, thank you very much for all your help, hopefully she will keep the protection updated and I won't be back with another problem.
     
    mva5493,
    #39
  21. 2010/01/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Haha.....
    I wish her luck :)
     
    broni,
    #40
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...