Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

log shows hijack.start menu registry data


  • This topic is locked This topic is locked
33 replies to this topic

#1 lindaga35

lindaga35

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:50 PM

Posted 30 November 2010 - 11:50 AM

I ran 2 scans this morning after firefox opened to pbs.com instead of yahoo homepage and i had a box pop up with an update to a add on, i meant to say no. BUT I SAID YES. it was after that i ran these scans.

It found this:hijack.startmenu registry data HKEY_Current_user/software\microsoft window

i deleted it and then i ran a safe mode scan and it found it again. (i did restart my computer before the safe scan)

then i ran avira antivir personal, it didnt find anything.

am i clean??? i also found a log that was saved that i didnt know of. (i think my hubby closed the program)

im attaching that log tooAttached File  mbam-log-2010-11-30 (08-06-43).txt   1.02KB   4 downloads

Thank You

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:50 PM

Posted 07 December 2010 - 05:35 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 lindaga35

lindaga35
  • Topic Starter

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:50 PM

Posted 07 December 2010 - 07:25 AM

i wanted to let you know that im still having the same problem and now I CANT PUT THE PC INTO SAFE MODE.so, im going to run those scans and reply with the logs.

Thank you for helping me.


im so afraid my info on my pc has been hacked for sure now.

#4 lindaga35

lindaga35
  • Topic Starter

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:50 PM

Posted 07 December 2010 - 04:42 PM

Here is the logs you wanted:

Thanks again!Attached File  ark.txt   94.98KB   2 downloads

Attached Files

  • Attached File  DDS.txt   15.08KB   2 downloads


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:50 AM

Posted 08 December 2010 - 06:01 AM

Hello and welcome to Bleeping Computer. :)

*Please enable topic reply notification, follow step # 4 -> Here.

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please do not attach logs unless instructed.

*You must reply within 5 days otherwise this topic will be closed.


===========================================================


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 lindaga35

lindaga35
  • Topic Starter

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:50 PM

Posted 08 December 2010 - 09:38 AM

I ran combo fix and before it was done, it popped up a screen that said. The application failed to initialize because the window station is shutting down.

it asked me to press ok, so i did and it continued to run.

here is the log.
Attached File  combofix.txt   16.39KB   2 downloads

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:50 AM

Posted 08 December 2010 - 10:09 AM

Please do not attach logs unless instructed.


1. Click Start > Run > copy/paste the bolded text below > press Enter. A text file will pop up, please post the contents of that file.

"C:\Qoobox\Add-Remove Programs.txt" > uninstall.txt& start uninstall.txt



2. We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

File::
c:\windows\system32\drivers\rootrepeal2.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000

Driver::
rootrepeal2

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 lindaga35

lindaga35
  • Topic Starter

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:50 PM

Posted 09 December 2010 - 01:05 PM

Im sorry about posting the logs from before, I got confused.

The Zone alarm icon in the toolbar usually says its activated,but now when i scroll over the icon it doesn't say it.

When I open it up it says im protected.

ALSO, when i go to the newspapers website it has symbols for words.

I just wanted to let you know.

Im hoping you are wanting the log from the uninstall and the combo fix.


Im attaching them now.

Thank YOU

I named this combo fix number 2 because the first one was still there.

Attached File  combofix.txt2.txt   13.75KB   3 downloads
Attached File  Add-Remove Programs.txt   4.96KB   3 downloads

Edited by lindaga35, 10 December 2010 - 08:02 AM.


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:50 AM

Posted 10 December 2010 - 09:52 PM

Hi,

Please do not attach logs, post them directly on your replies.


Viewpoint Warning:

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player



Asksbar/Ask Toolbar warning:

I strongly suggest that you uninstall Asksbar/Ask Toolbar. Some of the bad practices of this toolbar are:

  • Promoting its toolbars on sites targeted to kids. Details.
  • Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  • Promoting its toolbars through other companies' spyware. Details.
  • Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  • Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  • Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Please read the full details HERE.




=========================================



Please use Internet Explorer to perform a BitDefender Online Virus and Malware Scan
  • Click on I Agree.
  • If an Active X warning box will appear Click on Install.
    Note: If you got the message:"Could not load the Online Scanner! Click here for other possible fixes", it means Internet Explorer has blocked the Active X being installed. Just above the page under the Internet Explorer toolbar you see this message:
    "This website wants to install the following add-on: "Bitdefender OnlineScanner v8' from 'BITDEFENDER LLC'. If you trust the website and the add-on and want to install it, click here..."
    Click on that and select: Install Active x.
  • Now Click On Start Scan. Please wait as it might take some time.
  • If it found anything when it finished click Click here to export the scan report
  • Give the report a name and save it. The file will be a .HTML file.
  • Please attach the file to your reply.
  • To attach the file press ADDREPLY, under the reply window press Browse... show the path to the file on your computer.
  • Highlight the file and click Open then press the green UPLOAD button.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 lindaga35

lindaga35
  • Topic Starter

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:50 PM

Posted 11 December 2010 - 02:49 PM

When I ran the bitdefender it didnt find anything.

I dont know how to unintall the ask toolbar, I cant find it in my list of programs. I seen a zone alarm toolbar but that was it.

I did unintall the viewpoint media player, but i didnt see the other 2 things. (manager, viewpoint)

Also, When I log onto bleeping computer it shows the old heading. But when I choose forums it changes to a blue heading.

Is this right?

Thank YOU

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:50 AM

Posted 12 December 2010 - 08:55 AM

Hi,

How's the computer running? Seeing the hold heading of BC when you're in the home page is normal.

Are you using Firefox? If yes, then let's try to remove ask toolbar using Firefox.

Start firefox > click tools > click add-ons > Under "extensions", look for AskBarDis or ask toolbar then uninstall it.

Then, go to c:\program files and delete the corresponding folder if still present.


======================================================


1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 23 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel > Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version.



2. Update Adobe Reader so you will not become vulnarable for infections.
  • Uninstall your old version of Adobe Reader.
  • Download the latest version of Adobe Reader. --> HERE
  • Unchecked any optional download like Free Google Toolbar or Free McAfeeŽ Security Scan Plus.
  • Click download to download the file and install it by following the prompts.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 lindaga35

lindaga35
  • Topic Starter

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:50 PM

Posted 12 December 2010 - 04:48 PM

The only problem is: on a kids website and when she went to log in it said adobe flash player has crashed. Close unresponsive pages? she clicked to close the pages. then a folder that had a sick folder popped up and said google crome has crashed. so she x out google crome.



also, i didnt find the askbar in the in the extensions.

BUT, I did find a folder in the c drive with that name. I deleted it.

But, when i went to the Java runtime environment link it is in another language. I checked in the add ons and i already have that listed.

I clicked on the link for the adobe reader and Its asking for me to install a missing plug in for it to download.

i already have an adobe reader in the add ons.

How do i delete the old ones??

So, What should I do know?

Thanks

these are all of the extensions that is listed in the add ons.
adblock plus,adobe dlm, java concole 6.0.17,6.0.20,6.0.14
java quick starter 1.0,kidzui, microsoft.net framework asst.
yahoo toolbar
zonealarm toolbar

Edited by lindaga35, 12 December 2010 - 04:58 PM.


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:50 AM

Posted 14 December 2010 - 07:05 AM

Hi Linda,

Sorry about the delay in responding, I will be on vacation and I am currently at the airport while making this post. I will ask somebody to continue the work.

=============================

You need to uninstall "ZoneAlarm Spy Blocker Toolbar" to completely remove Ask toolbar. Please go to Control Panel > Add Remove programs and remove it.
No need to update Adobe because it's already updated, sorry about the confusion as I was thinking of something else.


Also in the Add remove programs in the Control panel, remove the following old versions of Java:

Java DB 10.4.2.1
Java™ 6 Update 20
Java™ SE Development Kit 6 Update 14


Then download the latest version -> here
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version.

Edited by sempai, 14 December 2010 - 07:06 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 lindaga35

lindaga35
  • Topic Starter

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:50 PM

Posted 14 December 2010 - 11:34 AM

I uninstalled the old java. when i did the java 6 update 20, it said it was uninstalling 17. i wanted to mention that to you.

I also installed the new java.

Should I re install the zone alarm? will it protect me more when its on the browser? And am i clean now? can i do online banking now and other things like that??


Thank You and I hope you have a great vacation.

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:50 AM

Posted 14 December 2010 - 12:11 PM

Hi,

Did you removed Zone Alarm or just the "ZoneAlarm Spy Blocker Toolbar"? If you will reinstall ZoneAlarm Spy Blocker Toolbar... it uses ask search engine so askbar will also be reinstalled.

I cannot confirmed that a computer is clean... I can only tell that a log is clean and free from infection.

1. Please run another DDS scan and post the new report for my review. Thanks.


2. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Edited by sempai, 14 December 2010 - 12:14 PM.
add aditional instructions

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users