Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked By Web Folders Or Something Else


  • This topic is locked This topic is locked
6 replies to this topic

#1 golferone

golferone

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 17 August 2008 - 08:52 PM

I've gone through the steps posted, so I hope someone can look at my log and help.

I noticed that I have an icon "Web Folders" when I open My Computer it is listed under Other. I didn't set this up and am concerned that it is a remote access that is pulling my info. I right click on it but I don't have the options listed are Open, Browse with Paint Shop Pro Studio, Explore, and Create Shortcut.

I am running McAfee, Spybot, Superanti Spyware, Malwarebytes, ATF cleaner, and Adware. I noticed a lot of registry changes for IE but I normally don't use IE. I have attached the info from my scans and hope this is an easy fix. smile.

I'm still new to this forum stuff, so be kind.

Attached Files



BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:57 AM

Posted 29 August 2008 - 03:43 AM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image

#3 golferone

golferone
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 02 September 2008 - 06:03 AM

Here is what I have from the scans.

Attached Files



#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:57 AM

Posted 02 September 2008 - 09:09 AM

Hello :thumbsup:

Let's start clean your computer with instructions below. If you have questions , please feel free to ask :)

Step #1
Please disable Teatimer as it may interfere with the fix.
First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings in TeaTimer.

Step #2
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O2 - BHO: (no name) - {BBB8D1F5-95D2-4503-967E-B307CF39E956} - (disabled by BHODemon)
O20 - Winlogon Notify: khfFWqOE - C:\WINDOWS\


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Step #3
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    C:\WINDOWS\system32\1C.tmp
    C:\WINDOWS\system32\1E.tmp
    C:\WINDOWS\system32\nypmydfu.ini
    C:\WINDOWS\system32\93e0d90a-.txt
    C:\WINDOWS\system32\DeggfMoq.ini2
    C:\WINDOWS\system32\DeggfMoq.ini
    C:\WINDOWS\system32\23.tmp
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Reboot your computer if OtMoveit2 didn't.

Step #4
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight >>Viewpoint Media Player<< , click Remove.
4. After uninstalling please remove next folder:
C:\Program Files\Viewpoint

Step #5
Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Step #6
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Step #7
Please post OtMoveIt log, Mbam log and a fresh Hijackthis log back here :)

Ps. Have you set these by yourself?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Edited by Baabiouz, 02 September 2008 - 09:11 AM.

Posted Image

#5 golferone

golferone
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 06 September 2008 - 10:15 AM

Here is what I have from OTMoeOT2 by OldTimer.

C:\WINDOWS\system32\1C.tmp moved successfully.
C:\WINDOWS\system32\1E.tmp moved successfully.
C:\WINDOWS\system32\nypmydfu.ini moved successfully.
C:\WINDOWS\system32\93e0d90a-.txt moved successfully.
C:\WINDOWS\system32\DeggfMoq.ini2 moved successfully.
C:\WINDOWS\system32\DeggfMoq.ini moved successfully.
C:\WINDOWS\system32\23.tmp moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09062008_093332

Here is what I have from Malwarebytes.

Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2

9/6/2008 10:27:30 AM
mbam-log-2008-09-06 (10-27-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 107558
Time elapsed: 33 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

New Hijack attached.


As for your p.s. The only thing it may be is my DSL or my Netgear, but to tell you the truth I don't know. I reviewed my DSL and Netgear info and they all start with 1XX and so on.

I have loaded a screen shot of what I am talking about.

Hope this helps.

Attached Files



#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:57 AM

Posted 07 September 2008 - 05:27 AM

Hello :thumbsup:

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems.

Reboot your computer (if you didn't do that) and post a fresh HijackThis log back here :)
How's your pc working now? :)
Posted Image

#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:57 AM

Posted 12 September 2008 - 06:31 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users