Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Assistance reading a Hijackthis Log file


  • This topic is locked This topic is locked
22 replies to this topic

#1 jcarr

jcarr

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 19 April 2011 - 02:59 PM

My computer is constantly asking me if I want to continue running scripts on the page. It comes up with everything from ad.yieldmanager to couponswapper to youtube etc. It is also redirecting me to different sites in most pages I try to get into. I'm hoping hijack this will fix it. Can anyone help to point out what I should be attempting to fix in the Hijack this software? Here is the log file. Any help would be greatly apppreciated.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:34:35, on 4/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetModem\Client\NetModemClient.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Rey\Bin\Ucsinsvc.exe
C:\rey\bin\PscVersionService.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\FYF885.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Shared Library - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\Program Files\Shared\shared.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.dealerspeed.net/dcsnet/dcsnetwebapp/activex/smsx.cab
O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (ClientPlugin Object) - https://techinline.net/Client/TIClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wpc.local
O17 - HKLM\Software\..\Telephony: DomainName = wpc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8DE06E9-C2ED-4C00-B791-881F91ADBECF}: NameServer = 206.95.22.50,207.68.188.187
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wpc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wpc.local
O18 - Filter hijack: text/html - {27388780-f571-4d68-9032-2bae8ff144d6} - C:\DOCUME~1\tvenezia\LOCALS~1\Temp\msmonitor.
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetModem Client (NMClient) - Unknown owner - C:\Program Files\NetModem\Client\NetModemClient.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: REY Install NT Service - UCS - C:\Rey\Bin\Ucsinsvc.exe
O23 - Service: REY PSCVersionService - Reynolds - C:\rey\bin\PscVersionService.exe
O23 - Service: SonicWALL Global VPN Client Service (SWGVCSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: UCS Install NT Service - Unknown owner - C:\UCC\Services\UcsInSvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7935 bytes

Edited by Orange Blossom, 19 April 2011 - 03:05 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 PM

Posted 20 April 2011 - 12:38 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jcarr

jcarr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 April 2011 - 10:29 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6406

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/20/2011 9:18:22 AM
mbam-log-2011-04-20 (09-18-22).txt

Scan type: Quick scan
Objects scanned: 180114
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\Shared\shared.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\spool\prtprocs\w32x86\110179.tmp (Trojan.Agent) -> Quarantined and deleted successfully.



The Hijack this Log is

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:26:10, on 4/20/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\NetModem\Client\NetModemClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Rey\Bin\Ucsinsvc.exe
C:\rey\bin\PscVersionService.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\FWE67C.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.dealerspeed.net/dcsnet/dcsnetwebapp/activex/smsx.cab
O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (ClientPlugin Object) - https://techinline.net/Client/TIClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wpc.local
O17 - HKLM\Software\..\Telephony: DomainName = wpc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8DE06E9-C2ED-4C00-B791-881F91ADBECF}: NameServer = 206.95.22.50,207.68.188.187
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wpc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wpc.local
O18 - Filter hijack: text/html - {27388780-f571-4d68-9032-2bae8ff144d6} - C:\DOCUME~1\tvenezia\LOCALS~1\Temp\msmonitor.
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetModem Client (NMClient) - Unknown owner - C:\Program Files\NetModem\Client\NetModemClient.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: REY Install NT Service - UCS - C:\Rey\Bin\Ucsinsvc.exe
O23 - Service: REY PSCVersionService - Reynolds - C:\rey\bin\PscVersionService.exe
O23 - Service: SonicWALL Global VPN Client Service (SWGVCSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: UCS Install NT Service - Unknown owner - C:\UCC\Services\UcsInSvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7039 bytes


As of right now I am not experiencing the issues

MieKiemoes you are awesome. Thanks so much for your help

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 PM

Posted 20 April 2011 - 10:38 AM

Hi,

Just a final cleanup...

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Also, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player


Let me know in your next reply how things are now :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jcarr

jcarr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 April 2011 - 10:52 AM

What do I open Notepad in to add insert that information?

Justin

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 PM

Posted 20 April 2011 - 11:00 AM

yes, just create a new text file (which will be opened in notepad by default) and copy and paste above contents in it.
If this is too confusing for you, just let me know, so I will create if for you instead and attach it to this post :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jcarr

jcarr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 April 2011 - 11:21 AM

MieKiemoes,

Ok, I was able to take that final step and the redirects on the computer are not an issue anymore but I just got another pop up that says "An error has occurred in the script on this page"
Line 1
Char 101
Error: Expected
Code: 0
URL: http://www.parentsask.com/walgreens/it-cold-or-allergies?f=fgpawg08

Do you want to continue running scripts on this page?


How do I prevent these from continuing to come up?

In the advanced tab I have the Disable Script debugging (Internet Explorer checked and the Disable script Debugging (Other) Not Checked and the "Display a Notification about every script error" not checked as well

Not sure why these keep coming up.

However, the computer is behaving better than it was and the program you sent me found 6 files infected with the trojan virus

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 PM

Posted 20 April 2011 - 11:33 AM

Hi,

Do you get this error on the same page you visit, or on random pages/different pages you visit?
Some pages do generate such script errors though, this is because some javascript is added to some pages which are having issues to load properly.
The url you posted in above shows that there are indeed many scripts present on that page. I block most scripts anyway since I use Firefox with the NoScript extension since that is an extra layer of security.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jcarr

jcarr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 April 2011 - 11:37 AM

The computer had a single window open and was on the www.yahoo.com web site. If you leave that page up it's fine for a little while and then eventually a script error screen pops up. What is the best way to prevent these script errors from coming up?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 PM

Posted 20 April 2011 - 11:40 AM

Hmmm, as an extra doublecheck - just to make sure, please do the following...

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jcarr

jcarr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 April 2011 - 12:39 PM

Ok I'm confused. I unzip it and click on the exe. It asks me if I want to "Run" I click Run and it takes me to another prompt asking me I want to "Run". I click Run again and the box disappears and nothing happens.

#12 jcarr

jcarr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 April 2011 - 12:41 PM

I just tried to go to a web site and it appears that I am still getting redirected for some reason. Not sure what is going on.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 PM

Posted 20 April 2011 - 12:46 PM

Hi,

Can you try again with tdsskiller?
Please try to reboot first and then try again. Just hit it one time, it may happen that it takes a few seconds before it actually loads.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 jcarr

jcarr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 April 2011 - 01:00 PM

I tried and it won't open. I was able to click on an icon on the bottom right and I got some details. Here is what it listed.


Testing ...
Current Location part 1 offset 1263699
Archive: C:\Documents and Settings\tvenezia\Local Settings\Temporary Internet Files\Content.IE5\WORCCOF3\tdsskiller[1].zip 1263721 bytes 2011-04-20 11:53:44
End central directory record PK0506 (4+18)
==========================================
current location of end-of-central-dir record: 1263699 (0x00134853) bytes
expected location of end-of-central-dir record: 1263699 (0x00134853) bytes
based on the size of the central directory of
114 and its relative offset of 1263585 bytes
part number of this part (0000): 1
part number of start of central dir (0000): 1
number of entries in central dir in this part: 2
total number of entries in central dir: 2
size of central dir: 114 (0x00000072) bytes
relative offset of central dir: 1263585 (0x001347e1) bytes
zipfile comment length: 0
Current Location part 1 offset 1263585
Central directory entry PK0102 (4+42): #1
======================================
part number in which file begins (0000): 1
relative offset of local header: 0 (0x00000000) bytes
version made by operating system (00): MS-DOS, OS/2, NT FAT
version made by zip software (20): 2.0
operat. system version needed to extract (00): MS-DOS, OS/2, NT FAT
unzip software version needed to extract (20): 2.0
general purpose bit flag (0x0000) (bit 15..0): 0000.0000 0000.0000
file security status (bit 0): not encrypted
extended local header (bit 3): no
compression method (08): deflated
compression sub-type (deflation): normal
file last modified on (0x00003e6a 0x00006379): 2011-03-10 12:27:50
32-bit CRC value: 0x59e2cc16
compressed size: 1262334 bytes
uncompressed size: 1377112 bytes
length of filename: 14 characters
length of extra field: 0 bytes
length of file comment: 0 characters
internal file attributes: 0x0000
apparent file type: binary
external file attributes: 0x00000020
non-MSDOS external file attributes: 0x000000
MS-DOS file attributes (0x20): arc
Current Location part 1 offset 1263631
filename:TDSSKiller.exe
Current Location part 1 offset 1263645
Central directory entry PK0102 (4+42): #2
======================================
part number in which file begins (0000): 1
relative offset of local header: 1262378 (0x0013432a) bytes
version made by operating system (00): MS-DOS, OS/2, NT FAT
version made by zip software (20): 2.0
operat. system version needed to extract (00): MS-DOS, OS/2, NT FAT
unzip software version needed to extract (20): 2.0
general purpose bit flag (0x0000) (bit 15..0): 0000.0000 0000.0000
file security status (bit 0): not encrypted
extended local header (bit 3): no
compression method (08): deflated
compression sub-type (deflation): normal
file last modified on (0x00003e21 0x000001c0): 2011-01-01 00:14:00
32-bit CRC value: 0x96ff1358
compressed size: 1169 bytes
uncompressed size: 2254 bytes
length of filename: 8 characters
length of extra field: 0 bytes
length of file comment: 0 characters
internal file attributes: 0x0001
apparent file type: text
external file attributes: 0x00000020
non-MSDOS external file attributes: 0x000000
MS-DOS file attributes (0x20): arc
Current Location part 1 offset 1263691
filename:eula.txt
Current Location part 1 offset 0
Local directory entry PK0304 (4+26): #1
------------------------------------
operat. system version needed to extract (00): MS-DOS, OS/2, NT FAT
unzip software version needed to extract (20): 2.0
general purpose bit flag (0x0000) (bit 15..0): 0000.0000 0000.0000
file security status (bit 0): not encrypted
extended local header (bit 3): no
compression method (08): deflated
compression sub-type (deflation): normal
file last modified on (0x00003e6a 0x00006379): 2011-03-10 12:27:50
32-bit CRC value: 0x59e2cc16
compressed size: 1262334 bytes
uncompressed size: 1377112 bytes
length of filename: 14 characters
length of extra field: 0 bytes
Current Location part 1 offset 30
filename:TDSSKiller.exe
Current Location part 1 offset 44
testing: TDSSKiller.exe OK
Current Location part 1 offset 1262378
Local directory entry PK0304 (4+26): #2
------------------------------------
operat. system version needed to extract (00): MS-DOS, OS/2, NT FAT
unzip software version needed to extract (20): 2.0
general purpose bit flag (0x0000) (bit 15..0): 0000.0000 0000.0000
file security status (bit 0): not encrypted
extended local header (bit 3): no
compression method (08): deflated
compression sub-type (deflation): normal
file last modified on (0x00003e21 0x000001c0): 2011-01-01 00:14:00
32-bit CRC value: 0x96ff1358
compressed size: 1169 bytes
uncompressed size: 2254 bytes
length of filename: 8 characters
length of extra field: 0 bytes
Current Location part 1 offset 1262408
filename:eula.txt
Current Location part 1 offset 1262416
testing: eula.txt OK
No errors detected in compressed data of C:\Documents and Settings\tvenezia\Local Settings\Temporary Internet Files\Content.IE5\WORCCOF3\tdsskiller[1].zip.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:54 PM

Posted 20 April 2011 - 01:05 PM

Hi,

It looks like you didn't unzip. Anyway, download this one: http://support.kaspersky.com/downloads/utils/tdsskiller.exe
This is the unzipped version.
Place it on your desktop and run it from there.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users