New_Age
Aug 27 2006, 08:07 PM
Hi, I'm over here at my GF's house and I don't have much time. please look at the log aSAP. Thx to anyone who can help
P.S - They have Avast! Home Edition (Up-To-Date) and Ewido and A-Squared. I have scanned and done everything. I now turn for help here!
CODE
Logfile of HijackThis v1.99.1
Scan saved at 4:03:52 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\IObit\Advanced WindowsCare V2\Awc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Documents and Settings\Owner.YOUR-6JNHHU0520\Desktop\HijackThis.exe
C:\Documents and Settings\Owner.YOUR-6JNHHU0520\My Documents\HTJ\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wildtangent.com/ddc/hpcompaq_migrate
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Advanced WindowsCare] "C:\Program Files\IObit\Advanced WindowsCare V2\Awc.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150842517921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150842483593
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
YoKenny
Aug 27 2006, 10:14 PM
New_Age, I'll provide my observations of the log.
In case something goes wrong and you need to backup then create a
Folder for HijackThis as you do not want the HijackThis logs in the
Temp Folder nor all over your
Desktop.
Depress the Windows key + e to start Windows Explorer then navigate to the hard drive then right click then select
New then
Folder then name it
HJT.
Move HijackThis into this folder.
Go to Add/Remove Programs and uninstall
WildTangentStart HijackThis after you have closed
ALL other applications then check the following then "Fix checked" if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ <== this is good
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wildtangent.com/ddc/hpcompaq_migrate
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) Install
SiteAdvisor as it shows an an indicator of bad sites you are visiting:
http://www.siteadvisor.com Install
ALL prevention protection recommended and keep them updated regularly by reading the announcements at
Calendar of Updates
Tarun
Aug 27 2006, 10:44 PM
Ignore what YoKenny said. It may say that files are missing for Avast, but they are present. Just look at the top of the log where it clearly says:
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
Just stop posting YoKenny.
New_Age, aside from WildTangent (remove that asap from Add/Remove Programs) your log is clean. You should definitely trash this:
O4 - HKCU\..\Run: [Advanced WindowsCare] "C:\Program Files\IObit\Advanced WindowsCare V2\Awc.exe" /startup
It screws up your services and causes numerous other errors, including with other software.
You should run a scan with Ad-Aware and Spybot, definitely.
New_Age
Aug 27 2006, 10:53 PM
QUOTE(Tarun @ Aug 27 2006, 06:44 PM) [snapback]47355[/snapback]
Ignore what YoKenny said. It may say that files are missing for Avast, but they are present. Just look at the top of the log where it clearly says:
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
Just stop posting YoKenny.
New_Age, aside from WildTangent (remove that asap from Add/Remove Programs) your log is clean. You should definitely trash this:
O4 - HKCU\..\Run: [Advanced WindowsCare] "C:\Program Files\IObit\Advanced WindowsCare V2\Awc.exe" /startup
It screws up your services and causes numerous other errors, including with other software.
You should run a scan with Ad-Aware and Spybot, definitely.
I can no longer help my GF's parents out on their computer as I'm at home. I will conitune next time I'm over there. I'll do what you said *Taren but why is *YoKenny wrong?
Note: I've ran Spybot and Ad-ware and it didn't help much. I Installed Maxthon and have all Ad-blockers checked but still get pop-up Ad's. I ran a scan with Ewido and it found two High Risk file *Hi.Jacker.Virus or... the name was similar but it did contain the name HiJacker or whatever. I removed it though.
I did again scanned for viruses and I don't know but last time I checked it came up with none but now IDK... as I haven't gotten a chance to scan. Again... thx for the help and I'll get too it when I have a chance to get over there again which will probably be by next Saturday.
rridgely
Aug 27 2006, 11:05 PM
Next time your over there do this:
Run Kaspersky WebScanner- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Post that kaspersky log as well as a new hijack this log.
-------------------------------------------------------------------------
As for the avast(file missing) entries, its an old problem of hijackthis to wrongly list some files as missing when they really aren't. Thats why you have to be careful when deleting things.
New_Age
Aug 27 2006, 11:11 PM
QUOTE(rridgely @ Aug 27 2006, 07:05 PM) [snapback]47357[/snapback]
Next time your over there do this:
Run Kaspersky WebScanner- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Post that kaspersky log as well as a new hijack this log.
-------------------------------------------------------------------------
As for the avast(file missing) entries, its an old problem of hijackthis to wrongly list some files as missing when they really aren't. Thats why you have to be careful when deleting things.
I was stupid enough and tried to scan the computer through Maxthon but it came up with an error while Installing due... to that the *ActiveX Blocker was Enabled. I was mad but I told them that it finished scanning which was a lie. Yes.. I still ashamed and I told them it found nothing. I'll scan it with just... IE next time. I will do as told. Till then... guys and Thx!
Tarun
Aug 27 2006, 11:14 PM
QUOTE(New_Age @ Aug 27 2006, 06:53 PM) [snapback]47356[/snapback]
I can no longer help my GF's parents out on their computer as I'm at home. I will conitune next time I'm over there. I'll do what you said *Tarun but why is *YoKenny wrong?
Note: I've ran Spybot and Ad-ware and it didn't help much. I Installed Maxthon and have all Ad-blockers checked but still get pop-up Ad's. I ran a scan with Ewido and it found two High Risk file *Hi.Jacker.Virus or... the name was similar but it did contain the name HiJacker or whatever. I removed it though.
I did again scanned for viruses and I don't know but last time I checked it came up with none but now IDK... as I haven't gotten a chance to scan. Again... thx for the help and I'll get too it when I have a chance to get over there again which will probably be by next Saturday.
Pretty much what I said in my post.
He's having you remove search pages (which is fine) but he's telling you to remove the services for Avast. The thing is, those services are present and working.
It'd be like me telling you to stop running and to remove services that are required for Windows to load.
This is why people should
only listen to actual PC Techs.
New_Age
Aug 27 2006, 11:17 PM
QUOTE(Tarun @ Aug 27 2006, 07:14 PM) [snapback]47359[/snapback]
Pretty much what I said in my post.
He's having you remove search pages (which is fine) but he's telling you to remove the services for Avast. The thing is, those services are present and working.
It'd be like me telling you to stop running and to remove services that are required for Windows to load.
This is why people should only listen to actual PC Techs.
lol, ok. I quite did understood why. Just thought I'd see what you had to say. I may be 19 but my GF and her parents are GLAD they have me around otherwise they would of bought a new computer in the next couple of months.
P.S - Your link to your website doesn't work. Fix it please...
Tarun
Aug 28 2006, 12:38 AM
QUOTE(New_Age @ Aug 27 2006, 07:17 PM) [snapback]47360[/snapback]
lol, ok. I quite did understood why. Just thought I'd see what you had to say. I may be 19 but my GF and her parents are GLAD they have me around otherwise they would of bought a new computer in the next couple of months.
P.S - Your link to your website doesn't work. Fix it please...
Tech savvy people rule; so long as they have a real tech to be guided by. ;P
There was a network issue along the way to Lunarsoft.net earlier. It should be all sorted now.
New_Age
Aug 28 2006, 01:35 AM
The page still fails to load.
No matter though. I'll try some other time. *Want to stay on topic here
New_Age
Aug 30 2006, 01:24 AM
Ok, I'm heading over there tomorrow after School. i'll post the log ASAP when its finished.
Tarun
Aug 30 2006, 02:13 AM
Good deal!
New_Age
Aug 30 2006, 11:09 PM
Fixing switched to this Saturday. Till then guys...
New_Age
Sep 2 2006, 06:09 PM
Ok, here the log...
rridgely
Sep 2 2006, 06:21 PM
Clear out system restore and you should be good.
To Flush the infected restore points:
Click Start Menu > All Programs > Accessories > System Tools > SystemRestore
Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.
Have all the problems stopped?
Also might be a good idea to post a new hijackthis log.
New_Age
Sep 2 2006, 06:27 PM
Ok, I will do as old but you seem to be posting the same stuff to different users who have problems. By any chance do you have this copied in notepad or microsoft word
rridgely
Sep 2 2006, 06:34 PM
Yep.
Don't worry I only use them when they apply to the specific issue though.
Its just a way to keep me from typing everything each time. Andy sent me a few useful ones.(including the above one)
New_Age
Sep 2 2006, 06:51 PM
Any other problems?
rridgely
Sep 2 2006, 06:57 PM
Looks good.
Is the computer acting right now?
New_Age
Sep 2 2006, 07:03 PM
let me search through the web some and i'll report back.
New_Age
Sep 2 2006, 07:26 PM
Ok, so far no pop-up ad's but i'll let ya know if anything comes up later. I scanned with Spybot and scanning with Ad-ware. It has found just cookies that I will delete and I will clear out all Cookies and Files and even history from Forums. Thx for your help
But were the infected files and the 3 Viruses bad in anyway as in what were they doin to cause such slowdown?
New_Age
Sep 2 2006, 09:35 PM
Ok, my GF's mother went on her account and was on Maxthon. she still had pop-up Ad's. Please... look carefully into the log I attached.
*Tarun you sent me a message and you just told me what you saw. do I remove it or what? Thx.
rridgely
Sep 2 2006, 10:37 PM
From that kaspersky log everything that was real malware was in system restore. As long as you cleared it out you should be good. You did rescan the computer with ewido like you said you were before right? If that came up clean as well then you should be good. It would be a good idea to go ahead and clean up the computer with ccleaner as well.
I don't know what tarun is telling you to remove but more then likely its all just optional fixes.(like all those toolbars) The only other thing detected by kaspersky was from HP.
I would also show your girlfriend's parents this to help prevent problems in the future.
Tony Klien's "So how did I get infected in the first place"
http://www.castlecops.com/postlite7736-.html
New_Age
Sep 2 2006, 11:13 PM
Ok, IDK... what to do. I've scanned for Spyware ad viruses. it's best sometimes to reformatt which I can't do at the time
rridgely
Sep 2 2006, 11:28 PM
I thought you said there was no problems anymore? Is everything back to normal or not?
Edit:
I misread the post.(I thought it said she didn't have ads.)
Rename hijack this to something else.(like 123.exe or something) make sure you rename the actual .exe and not a shortcut. Take a log from the renamed hijack this and post it.
Also download supearantispyware here:
http://www.superantispyware.com/superantis...efreevspro.htmlDownload update and scan with it.
New_Age
Sep 3 2006, 12:53 AM
As far as right now nothing has really been goin on. I only recieved one pop-up ad through the day after we cleaned everything out. But i'll do all this some other time. I'll repost the log when I remove what *tarun told me to move...
New_Age
Sep 3 2006, 01:06 AM
Ok *Tarun I removed the file. IDK... if everything is fixed. I feel as though i'm failing....
New_Age
Sep 3 2006, 02:12 AM
Ok *rridgely I downloaded the program and updated it all. I had to go home but I told my GF's step-dad to remove whatever was there. It found 1 worm though last I saw it.
Guys, I'll be there tomorrow so we will conitune this, But hey I just thought something.
My GF's step-dad *Mark has this disk that contains games. I'm not sure if it came with there computer but could those games be related to the problem? Their computer is an HP. P4 1.5GHZ with 384MB Of RAM. I was nice enough to throw in a 256MB stick. But anyways I think some of the games are from www.wildtangent.com. Again, I'm not sure if it came with the computer which I highly doubt or if he ordered the disk.
The disk Installs a package of games. I know this may be stupid but if for any reason those games ARE related and we may need to remove them and if it's not much trouble I would like to do some searching for some free games. FREEWARE ONLY! Thx...
rridgely
Sep 3 2006, 02:35 AM
Alright, Superantispyware automatically saves a log after it removes anything. To find it open superantispyware>preferences> Statistics/logs.
Post those log. Also rename hjt like I said before and post a log from it(but whatever was hiding might be already removed by then by SAS.)
Probably a good idea to start a new topic and ask for recommendations for games.
New_Age
Sep 3 2006, 02:58 AM
Why would renaming the Actual .exe file make a differance?
rridgely
Sep 3 2006, 03:51 AM
Because lately a lot malware can shield itself from hijackthis(using rootkit type components). Renaming it can make it show up sometimes. What I didn't remember was that winfixer(vundo variant) is one of the ones that can do it.
Thats what KAV detected in your system restore. I don't know if KAV can detect it otherwise or not.
Currently I believe SAS is the only one that can clean it up. Post the scan log from SAS tomorrow and I'll see if thats what it found. If not then there is a removal tool for it.
New_Age
Sep 3 2006, 04:26 AM
ok, cool. I'll be on tomorrow around... say 1:00PM
New_Age
Sep 3 2006, 07:48 PM
Ok, here are the logs.
rridgely
Sep 4 2006, 04:20 AM
Alright, renaming Hijackthis didn't reveal anything new. However superantispyware did remove a pretty nasty bug.
This is what it removed.
http://www3.ca.com/securityadvisor/pest/pe...px?id=453098448Anyway how is the computer acting now? Are the pop ups all gone?
New_Age
Sep 4 2006, 04:24 PM
Nope, the pop-ups still keep coming. Wonder if it has to do with the games they have Installed. I forgot to look into the company who delevoped the games. My fault their. But I'm away from the house. I will conitune within the next Weekend.
New_Age
Sep 5 2006, 07:38 PM
Ok, I'm going over to my GF's house after School Tomorrow. Are their any other Ideas you guys can think of?
Note: I'll look into who makes the games they have Installed.
New_Age
Sep 6 2006, 01:01 AM
Anyone? I'll be left with no other option but to Formatt if they'd let me. IDK... if they're still having pop-ups or not but I'll see when I get their. I'm sure they still are though.
rridgely
Sep 6 2006, 01:26 AM
http://forum.ccleaner.com/index.php?showtopic=6329Make sure you have done
all of that.
Update a few of them and run them again just to see if they find anything they didn't before(I would run ewido, and SAS)
Here is instructions for black light:
Download Blacklight beta
HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Just run blacklight and see if it finds anything.
Also get an updated hijack this log and post it here as well with the blacklight log.
-----------------------------
This is all of course if it wasn't fixed.
New_Age
Sep 9 2006, 09:09 PM
Ok, I'm heading there tomorrow riddgely. I'll do as told. Wish me luck.
Note: Nice guide there man
New_Age
Sep 11 2006, 08:53 PM
Ok, nothing was detected for the program and BitDefender found no Infection. I scanned with Ad-Ware and SpyBot again... but all Ad-ware found was Cookies. No major Infections. I may just leave there computer alone until they buy a new one when their Tax time comes which will be in Feb. and when that happens my GF will hopefully have it then I can reformatt and do what I want to do to it
rridgely
Sep 11 2006, 09:02 PM
What kind of pop ups were they getting? Were they only coming on certain sites or every time they used IE?
New_Age
Sep 11 2006, 09:08 PM
They get pop-up Ad's sometimes while opening IE.Some show up while browsing Myspace but their home page is set to Google. They use Maxthon most of the time now since I showed them how Tabb Browsing works. I'm really out of Ideas and may just wait till they buy a new computer.
rridgely
Sep 11 2006, 09:17 PM
Try putting firefox or opera on it just to see if they get them from those as well. Myspace has ads/pop ups ect all over it. But if they are getting them from just opening their browser to google then thats not right.(maxthon is better then IE but it will still get pop ups that firefox and opera will not)
I don't see anything in the hjt logs and if the scanners are coming up clean then everything should be fine. Send these links to your girlfriends parents and ask them to run these scanners(both are really quick):
Pest patrol online scan:
http://www3.ca.com/securityadvisor/pestscan/Trend Micro online spyware scan:
http://www.trendmicro.com/spyware-scan/Try putting a host file on the computer to block ads/pop ups.
http://www.mvps.org/winhelp2002/hosts.htmDid you put spyware blaster on the computer?
New_Age
Sep 11 2006, 09:24 PM
I forgot about Spyware Blaster. How could I...
But I'll get over there some other time. For now I'm stuck at my house. I'll let ya know what happens when putting FireFox on the computer.
rridgely
Sep 15 2006, 09:30 PM
I messaged andy about your issue and he suggested a combofix log to make sure everything is 100% clean. Instructions below:
Download this file -
combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Also get a new hijackthis log with that so we can see if anything has changed.
New_Age
Sep 17 2006, 11:00 AM
QUOTE(rridgely @ Sep 15 2006, 05:30 PM) [snapback]49200[/snapback]
I messaged andy about your issue and he suggested a combofix log to make sure everything is 100% clean. Instructions below:
Download this file -
combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Also get a new hijackthis log with that so we can see if anything has changed.
Just a question here. What if it doesn't find anything?
Eldmannen
Sep 17 2006, 01:24 PM
As for Maxthon, it is just a shell for Internet Explorer with some new features such as tabbed browsing. But under the shell is still the Trident engine, so using Maxthon will be unsafe and your computer can be infected easily by spyware and stuff.
Do yourself a favor, get Mozilla Firefox!
QUOTE(New_Age @ Sep 17 2006, 11:00 AM) [snapback]49382[/snapback]
Just a question here. What if it doesn't find anything?
Start worrying about that when it doens't find anything.
rridgely
Sep 17 2006, 03:00 PM
QUOTE(New_Age @ Sep 17 2006, 07:00 AM) [snapback]49382[/snapback]
Just a question here. What if it doesn't find anything?
That program lists a lot of stuff you cant see with hijack this. If it doesn't show up in that then your problems are almost certainly not being caused by malware.(nothing is 100% of course) Get the combofix log and post it.
Eldmannen
Sep 17 2006, 05:54 PM
What is combofix?
What does it do? What is it good for?
Mike Rochip
Sep 17 2006, 06:07 PM
QUOTE(Eldmannen @ Sep 17 2006, 11:54 AM) [snapback]49422[/snapback]
What is combofix?
What does it do? What is it good for?
What is Combofix?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.