BleepingComputer.com: HijackThis Log: Please help Diagnose

Hi

Please do the following:

This will take care of the items we need to take care of that were found by ESET


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 7 and save it to your desktop.
• Scroll down to where it says JDK 7 (JDK or JRE)
• Click the Download JDK button tunderneath
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "Oracle Binary Code License Agreement for Java SE ". Click on Continue. The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.



NEXT


Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues.

Hi CatByte,

Just wanted to make sure. You are asking me to post here a new DDS log. But shouldn't I also run ESET, since it was ESET that found the issues?

Also, apart from the Java issues, ESET pointed to these 3 files:

\smitRem\Process.exe Win32/PrcView application
\smitRem.exe Win32/PrcView application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP891\A0075706.exe a variant of Win32/AdInstaller application

So should I ignore those files, or should I delete them?

Thanks,

CA_2007

You don't need to re-run ESET once the Java cache is cleared out.

Two items found by ESET are describing the type of program you have > smitRem which I recognize as a malware removal tool, it isn't saying it is a threat and the other item is in an old restore point which we will clean up when ComboFix is uninstalled, which we will do when you are completely clean and we clean up our tools,

I need to see a fresh DDS log so I can check and make sure there is no more malware on your machine.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 10.0.0
Run by bob at 7:27:56 on 2011-08-20
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.sbc.com/dsl
mStart Page =
uInternet Connection Wizard,ShellNext = "c:\program files\msn gaming zone\windows\CHKRZM.EXE"
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [PDUiP6600DMon] c:\program files\canon\memory card utility\ip6600d\PDUiP6600DMon.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTkzNzA5ODY2LVQxNS1CQSsxLUtWMys3LVhMKzEtRlA5KzYtVEI5KzItRkwrOS1RSVgxKzQtRjEwTTEwRCsyLUxJQysyMi1TUDErMS1TVUQrMS1TMUkrMS1TVTMrMS1YMjAxMCsyLUZMMTArMS1UVUcrMy1ERFQrMC1MU0QrMg"&"prod=90"&"ver=10.0.1392
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38031.7579398148
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{2C60782C-5521-4AFF-A994-2C0281E59CC1} : NameServer = 68.94.156.1,68.94.157.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\wdazdaru.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\java\jre7\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\npjpi170.dll
FF - plugin: c:\program files\java\jre7\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsld3706c84;MpKsld3706c84;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2e1ed564-8b4d-4f3f-968a-26c08df07c29}\MpKsld3706c84.sys [2011-8-20 28752]
S2 gupdate1c9cc3da20a781a;Google Update Service (gupdate1c9cc3da20a781a);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
.
=============== File Associations ===============
.
JSEFile=notepad.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-08-20 14:10:15 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2e1ed564-8b4d-4f3f-968a-26c08df07c29}\MpKsld3706c84.sys
2011-08-20 14:07:25 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2e1ed564-8b4d-4f3f-968a-26c08df07c29}\mpengine.dll
2011-08-20 05:34:51 -------- d-----w- c:\documents and settings\bob\local settings\application data\Sun
2011-08-20 05:29:00 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-08-20 05:29:00 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-20 05:28:59 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-18 14:25:28 -------- d-----w- c:\program files\ESET
2011-08-18 03:47:42 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-08-18 03:26:12 -------- d-----w- c:\documents and settings\bob\application data\Malwarebytes
2011-08-17 20:42:23 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-17 20:42:05 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-17 20:41:49 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-17 20:41:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-17 02:21:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-08-17 02:21:30 215920 ----a-w- c:\windows\system32\muweb.dll
2011-08-17 02:21:30 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-08-16 20:57:36 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-16 06:13:41 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-15 03:45:21 -------- d-sha-r- C:\cmdcons
2011-08-15 03:40:57 98816 ----a-w- c:\windows\sed.exe
2011-08-15 03:40:57 518144 ----a-w- c:\windows\SWREG.exe
2011-08-15 03:40:57 256000 ----a-w- c:\windows\PEV.exe
2011-08-15 03:40:57 208896 ----a-w- c:\windows\MBR.exe
2011-08-03 19:50:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-24 23:23:51 388096 ----a-r- c:\documents and settings\bob\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-24 23:23:49 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
.
============= FINISH: 7:29:49.82 ===============

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the DDS and aswMBR logs and programs from your desktop.


NEXT

Follow these steps to uninstall Combofix

• Make sure your security programs are totally disabled.
  
• Click START then RUN
  
• Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

• It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
  Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  
  
  
• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
    
  • Type Inetcpl.cpl & click OK
    
  • Click on the Security tab
    
  • Click Reset all zones to default level
    
  • Make sure the Internet Zone is selected & Click Custom level
    
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  
  
  
  
• Download TFC to your desktop
  
  • Close any open windows.
    
  • Double click the TFC icon to run the program
    
  • TFC will close all open programs itself in order to run,
    
  • Click the Start button to begin the process.
    
  • Allow TFC to run uninterrupted.
    
  • The program should not take long to finish it's job
    
  • Once its finished it should automatically reboot your machine,
    
  • if it doesn't, manually reboot to ensure a complete clean
  
  It's normal after running TFC cleaner that the PC will be slower to boot the first time.
  
  
  
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
    
  • Yellow for caution
    
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
  
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
  
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Hi CatByte,

Please bear with me for another second before I move on to the cleanup. I was just about to address your previous request: "advise how the computer is running now and if there are any outstanding issues. " Well, the computer is running fine, and I am very happy we caught some malware and that you made me get rid of AVG as well as upgrade my Java and Acrobat. It's all great. Unfortunately, the original issue that prompted me to post here is still there. Namely, when I use Google maps with my Firefox browser, Firefox crashes all the time. So basically I open Firefox, go to Google, click on "Maps", enter a street address, hit ENTER - and it crashes! I suspect it has something to do with Firefox add-ons or plugins, or maybe GoogleUpdater, but I am not sure. Or is it Flash? But you made me upgrade my Acrobat and that - I think - upgraded Flash as well. Anyway, I am not sure what to do about this problem. Interestingly enough, my old browser IE6.0 works fine with Google maps. So now I use IE when I need to do the maps. But I actually switched from IE to Firefox long ago, after an infection, because I was told Firefox was safer.

Do you have any comments on my Firefox/Google maps issue?

Thank you,
CA_2007

Actually here's the Firefox crash report:

Add-ons: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}:7.0,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
BuildID: 2009042316
CrashTime: 1313872564
InstallTime: 1242743986
ProductName: Firefox
SecondsSinceLastCrash: 103
StartupTime: 1313872473
Theme: classic/1.0
URL: http://maps.google.com/maps?hl=en&tab=wl
Vendor: Mozilla
Version: 3.0.10

That is usually a Java issue > clear the Java cache and clear your browsing history (use the Temp File Cleaner I linked to above)

If that makes no difference, then it could be an add-on that is causing the problem

start firefox in the firefox safe-mode to see if there is a troublesome add-on causing the issue

http://support.mozilla.com/en-US/kb/Safe%20Mode

If starting in Safe-mode works then disable your extensions (Tools > Add-ons > Extensions or use the option in the Safe-mode window) and re-enable them one by one until you find which one is causing it.

Close and restart Firefox after each change.

Let me know how that goes

Hi CatByte,

Well, it turned out my Firefox was so old, it didn't even have a safe mode option! So I jumped from Firefox 3.0 to 6.0 and now I am a happy camper! Thank you very much for your help! A couple of last questions. When I was uninstalling ComboFix, I forgot to switch my anti-virus off There was a error message from MS security essentials saying that it found a C:\"some long weird number"\iexplore.exe file which it thought was suspicious. I dismissed that message. Finally I got a message from ComboFix saying that Combofix has uninstalled. Is that ok?

Finally, I was wondering if you are going to erase this topic soon? If you do, I need to copy all your final recommendations some place.

Thank you,

CA_2007

Hi,

The topic will be closed, but you will still have access to it.

It sounds OK, that is the normal ComboFix message, so i don't believe MSSE interfered with the uninstall.

Thank you very much again!

You are welcome

stay safe

~CB

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.