Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lasaoren completely hijacked my pc


  • Please log in to reply
147 replies to this topic

#1 Pearguy

Pearguy

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 05 November 2014 - 10:17 AM

Hello everyone

I have no idea how it got in but when I started my pc this morning my Windows XP OS it was infested with a load of unwanted programs, the worst of which seems to be Lasaoren.

I removed as many of these malicious invaders as I could with the 'add or remove' tool in the control panel but it hasn't helped. Lasaoren was indeed removed from there, but it's still everywhere. I'm also unable to rmove 'divx' which appears to be some sort of video enhancer.

I removed Lasaoren from Firefox add-ons but it made no difference; I click on FF and it still comes up as Lasaoren.

I have a secondary OS in my pc, Linux mint, which seems unaffected. I've been on it all day trying to find a way of removing these hateful parasites but I've come up empty.

As things stand my computer, at least when booted to xp, is useless.

Needless to say I'd be extremely grateful for any help with this.


Edited by hamluis, 05 November 2014 - 10:37 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 05 November 2014 - 04:44 PM

Hi Pearguy and :welcome:

 

icon1348768721.jpgDownload Screen317 Security Check HERE and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so

icon1337954655.pngPlease download MiniToolBox HERE to your desktop to run it.
Checkmark the following boxes:
* List content of Hosts
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)

icon1337952077.pngPlease download Farbar Service Scanner (FSS) HERE and run it on the computer with the issue.

    Make sure the following options are checked:
        Internet Services
        Windows Firewall
        System Restore
        Security Center/Action Center
        Windows Update
        Windows Defender
        Other Services
    Press "Scan".
    It will create a log (FSS.txt) in the same directory the tool is run.
    Please copy and paste the log to your reply.

 

logo.jpgDownload Malwarebytes Anti-Rootkit HERE
    Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    Double click on downloaded file. OK self extracting prompt.
    MBAR will start. Click "Next" to continue.
    Click in the following screen "Update" to obtain the latest malware definitions.
    Once the update is complete select "Next" and click "Scan".
    When the scan is finished and no malware has been found select "Exit".
    If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
    Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
    "mbar-log-{date} (xx-xx-xx).txt"
    "system-log.txt"
 

Thank you!



#3 Pearguy

Pearguy
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 05 November 2014 - 06:01 PM

Alex&Vanko

Big thank you for taking the time to post such a helpful reply.

Do I need to perform these actions in Windows? Or can they be done from Linux?

I will try to follow your instructions tomorow whan I have the time (and energy.)

The only difficulty is the Malawarebytes section. I twice used this tool previously for unrelated issues. The second time was a year after the first, and I'd forgotten the problems that this program had caused me (or I woukdn't have used it again).

Both times I was frozen out of my Windows account. My pc is legal and paid for, but Microsoft kept on with "Lets activate Windows.." and the system just would not let me do this, even though Microsoft themselves agreed that mine is a legitimate version of XP. Every time I logged on there was a message fro MS telling me I had another day less to 'activate'.

Tried everything, no dice.

Eventually I was driven to get a new XP OS installed by more knowledgable people. Don't know if this one is 'genuine' or not,; tbh, I no longer care. after MS behaviour. But it has behaved well till now.

Again my thanks to you, I'll update tomorrow.


Edited by Pearguy, 05 November 2014 - 06:16 PM.


#4 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 05 November 2014 - 06:09 PM

Ok without Malwarebytes!



#5 Pearguy

Pearguy
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 06 November 2014 - 06:56 AM

Hi guys

Sorry to show my ignorance but I'd need to leave Linux and perform the above actions whilst booted to Windows, yes?

And does this type of malware infect just the OS that it got into or the computer itself?

Btw, is Lasaoren something you've come across before? There are lots of google hits on it but I get the really odd feeling that many of them actually originate from the Lasaoren source itself..

My thanks again

Simon


Edited by Pearguy, 06 November 2014 - 07:42 AM.


#6 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 06 November 2014 - 01:18 PM

Perform these instruments onto Windows OS.

Btw, is Lasaoren something you've come across before?

No!

 

Lasaoren.com is a potentially unwanted program
Lasaoren.com will hijack your web browser homepage and default search engine
Installs a Windows Service and runs on Windows start up.
Typically distributed through a pay-per-install bundle

And does this type of malware infect just the OS that it got into or the computer itself?

Edited by Alex&Vanko, 06 November 2014 - 01:19 PM.


#7 Pearguy

Pearguy
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 07 November 2014 - 08:47 AM

Hello again guys

Ok, all done except the Malawarebytes part. Here are the results in the order listed above.

My thanks as always.

 

 

 Results of screen317's Security Check version 0.99.89   
 Windows XP Service Pack 3 x86    
 Internet Explorer 8   
``````````````Antivirus/Firewall Check:``````````````  
 Windows Firewall Enabled!   
Please wait while WMIC is being installed.d  
i  
s  
p  
l  
a  
y  
N  
a  
m  
e  
ECHO is off.
A  
v  
i  
r  
a  
ECHO is off.
D  
e  
s  
k  
t  
o  
p  
ECHO is off.
M  
i  
c  
r  
o  
s  
o  
f  
t  
ECHO is off.
S  
e  
c  
u  
r  
i  
t  
y  
ECHO is off.
E  
s  
e  
n  
t  
i  
a  
l  
s  
ECHO is off.
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````  
 CCleaner      
 Adobe Flash Player     15.0.0.152   
 Mozilla Firefox (33.0.2)  
````````Process Check: objlist.exe by Laurent````````   
 Microsoft Security Essentials MSMpEng.exe  
 Microsoft Security Essentials msseces.exe  
 Avira Antivir avgnt.exe  
 Avira Antivir avguard.exe  
`````````````````System Health check`````````````````  
 Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

 

 

MiniToolBox by Farbar  Version: 21-07-2014
Ran by simon (administrator) on 07-11-2014 at 13:19:19
Running from "C:\Documents and Settings\simon\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================  
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ==============================  
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (11/05/2014 00:07:56 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]
 
Error: (11/05/2014 00:07:07 PM) (Source: Application Error) (User: )
Description: Faulting application divc3.tmp, version 2.6.1.8, faulting module divc3.tmp, version 2.6.1.8, fault address 0x0005724a.
Processing media-specific event for [divc3.tmp!ws!]
 
Error: (11/05/2014 08:24:04 AM) (Source: Application Hang) (User: )
Description: Fault bucket -1439773252.
 
Error: (11/05/2014 08:23:35 AM) (Source: Application Hang) (User: )
Description: Hanging application divA.tmp, version 2.6.1.8, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (11/05/2014 08:22:50 AM) (Source: Application Error) (User: )
Description: Fault bucket -1442003922.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.
 
Error: (11/05/2014 08:21:16 AM) (Source: Application Error) (User: )
Description: Faulting application diva.tmp, version 2.6.1.8, faulting module diva.tmp, version 2.6.1.8, fault address 0x0005724a.
Processing media-specific event for [diva.tmp!ws!]
 
Error: (11/05/2014 08:17:31 AM) (Source: Application Hang) (User: )
Description: Fault bucket -1440515594.
 
Error: (11/05/2014 08:17:20 AM) (Source: Application Hang) (User: )
Description: Hanging application div2.tmp, version 2.6.1.8, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (11/05/2014 08:15:30 AM) (Source: Application Error) (User: )
Description: Fault bucket 223121472.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.
 
Error: (11/05/2014 08:15:22 AM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]
 
 
System errors:
=============
Error: (11/07/2014 00:45:29 PM) (Source: Microsoft Antimalware) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.
 
Error: (11/07/2014 00:45:29 PM) (Source: Microsoft Antimalware) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.
 
Error: (11/07/2014 00:42:40 PM) (Source: Microsoft Antimalware) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.
 
Error: (11/07/2014 00:42:05 PM) (Source: Microsoft Antimalware) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.
 
Error: (11/07/2014 00:34:23 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:  
ttnfd
 
Error: (11/07/2014 00:32:06 PM) (Source: Microsoft Antimalware) (User: )
Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.
 
Error: (11/05/2014 01:07:56 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (11/05/2014 00:26:46 PM) (Source: DCOM) (User: SIMON1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (11/05/2014 00:06:16 PM) (Source: DCOM) (User: SIMON1)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (11/05/2014 11:51:02 AM) (Source: DCOM) (User: SIMON1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
 
Microsoft Office Sessions:
=========================
Error: (11/05/2014 00:07:56 PM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.55120001295d
 
Error: (11/05/2014 00:07:07 PM) (Source: Application Error)(User: )
Description: divc3.tmp2.6.1.8divc3.tmp2.6.1.80005724a
 
Error: (11/05/2014 08:24:04 AM) (Source: Application Hang)(User: )
Description: -1439773252
 
Error: (11/05/2014 08:23:35 AM) (Source: Application Hang)(User: )
Description: divA.tmp2.6.1.8hungapp0.0.0.000000000
 
Error: (11/05/2014 08:22:50 AM) (Source: Application Error)(User: )
Description: -1442003922
 
Error: (11/05/2014 08:21:16 AM) (Source: Application Error)(User: )
Description: diva.tmp2.6.1.8diva.tmp2.6.1.80005724a
 
Error: (11/05/2014 08:17:31 AM) (Source: Application Hang)(User: )
Description: -1440515594
 
Error: (11/05/2014 08:17:20 AM) (Source: Application Hang)(User: )
Description: div2.tmp2.6.1.8hungapp0.0.0.000000000
 
Error: (11/05/2014 08:15:30 AM) (Source: Application Error)(User: )
Description: 223121472
 
Error: (11/05/2014 08:15:22 AM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.55120001295d
 
 
 
=========================== Installed Programs ============================
888poker (HKLM\...\888poker) (Version:  - )
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Avira (HKLM\...\{dc9a688a-12cb-4a22-b449-23d849d01dc7}) (Version: 1.1.24.28609 - Avira Operations GmbH & Co. KG)
Avira (Version: 1.1.24.28609 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM\...\Avira AntiVir Desktop) (Version: 14.0.7.306 - Avira)
CCleaner (HKLM\...\CCleaner) (Version: 4.14 - Piriform)
CloudReading (HKLM\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 1.1.47.1220 - Foxit Corporation)
DivX Setup (HKLM\...\DivX Setup) (Version: 2.6.1.8 - DivX, LLC)
Extended Update (HKCU\...\Digital Sites) (Version:  - Extended Update)
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 6.1.2.1224 - Foxit Corporation)
Image Resizer Powertoy for Windows XP (HKLM\...\{1CB92574-96F2-467B-B793-5CEB35C40C29}) (Version: 1.00.0001 - Microsoft Corporation)
Intel® Extreme Graphics 2 Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: 6.14.10.4396 - )
LibreOffice 4.1 Help Pack (English (United Kingdom)) (HKLM\...\{5286F9E3-8276-4405-89DA-C73398A3C8D4}) (Version: 4.1.4.2 - The Document Foundation)
LibreOffice 4.1.4.2 (HKLM\...\{94E11973-ED58-47A0-907C-ABF6D95C5DD8}) (Version: 4.1.4.2 - The Document Foundation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Automated Troubleshooting Services Shim (HKLM\...\{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb) (Version:  - )
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Download Manager (HKLM\...\{654977DB-0001-0002-0001-EABD228DDE8B}) (Version: 1.2.1 - Microsoft Corporation)
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 33.0.2 (x86 en-GB) (HKLM\...\Mozilla Firefox 33.0.2 (x86 en-GB)) (Version: 33.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Recuva (HKLM\...\Recuva) (Version: 1.51 - Piriform)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2836939v3) (Version: 3 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0 - DivX, Inc) Hidden
VLC media player 2.1.3 (HKLM\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WebFldrs XP (Version: 9.50.5318 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 26%
Total physical RAM: 2039.48 MB
Available physical RAM: 1491.84 MB
Total Pagefile: 3935.95 MB
Available Pagefile: 3326.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1978.8 MB
 
========================= Partitions: =====================================
 
2 Drive c: () (Fixed) (Total:24.41 GB) (Free:11.18 GB) NTFS
3 Drive d: () (Fixed) (Total:60.31 GB) (Free:49.97 GB) NTFS
5 Drive f: (NORTON-KACK) (Fixed) (Total:0.01 GB) (Free:0.01 GB) FAT
6 Drive g: (USB2) (Removable) (Total:28.88 GB) (Free:23.02 GB) FAT32
 
========================= Users: ========================================
 
User accounts for \\SIMON1
 
Administrator            Guest                    HelpAssistant             
simon                    SUPPORT_388945a0          
 
 
**** End of log ****

 

 

Farbar Service Scanner Version: 21-07-2014
Ran by simon (administrator) on 07-11-2014 at 13:24:25
Running from "C:\Documents and Settings\simon\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy:  
==================
 
 
System Restore:
============
 
System Restore Disabled Policy:  
========================
 
 
Security Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy:  
============================
 
 
Other Services:
==============
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
 
Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) ttnfd(10)  
0x0A00000005000000010000000200000003000000040000000A00000009000000080000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****



#8 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 07 November 2014 - 02:02 PM

Do you know this - Extended Update

If no uninstall it from Add/Remove Programs.

 

icon1349013334.jpgPlease download AdwCleaner by XplodeHERE onto your desktop.

    Close all open programs and internet browsers.
    Double click on AdwCleaner.exe to run the tool.
    Click on Scan.
    After the scan is complete click on "Clean"
    Confirm each time with Ok.
    Your computer will be rebooted automatically. A text file will open after the restart.
    Please post the content of that logfile with your next answer.
    You can find the logfile at C:\AdwCleaner[S1].txt as well.

icon1351185104.pngPlease download Junkware Removal Tool HERE to your desktop.

    Shut down your protection software now to avoid potential conflicts.
    Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    The tool will open and start scanning your system.
    Please be patient as this can take a while to complete depending on your system's specifications.
    On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    Post the contents of JRT.txt into your next message.

icon1356707420.jpgDownload Malwarebytes' Anti-Malware Free HERE to your desktop.
    - Do not accept the Free Trial Version at this time -
    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Thread scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.
How to open the log:
Open MalwareBytes Anti-Malware and then click on History
On the left column, select Application Logs. Select the most recent log among the list, it is usually the one on the top (or sort by date) and open it.
Go to the bottom left corner to Export and select Text File (*.txt)
Save it to the desktop

    Be sure to restart the computer if requested.

esetsmartinstaller_enu.pngPlease download the ESET Online Scanner HERE and save it to your Desktop.
Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
    Start esetsmartinstaller_enu.exe with administartor privileges.
    Select the option Yes, I accept the Terms of Use and click on Start.
    Make sure that the option Remove found threats is checked, and the option Scan archives is checked.
    Now click on Advanced Settings and select the following:
        Scan for potentially unwanted applications
        Scan for potentially unsafe applications
        Enable Anti-Stealth Technology
    Click on Start. The virus signature database will begin to download. This may take some time.
    When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
    When completed select Uninstall application on close if you so wish
    Now click on Finish
The path to the log file is "C:\Program Files\ESET\EsetOnlineScanner\log.txt" (on 64-bit systems this directory will be "C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt")

Note: Do not forget to re-enable your antivirus application after running the above scan!
 

Thank you!



#9 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 07 November 2014 - 02:05 PM

You have two antivirus also.

is it bad to run multiple antivirus programs?



#10 Pearguy

Pearguy
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 07 November 2014 - 06:32 PM

Hi Guys

I'm just home. I will perform the above instructions tomorrow morning.

Had no idea I was running two AV, I know about Avira, but what's the other one?

Please see my previous post re Malawarebytes:

Both times I applied it, MS Windows froze me from my account. Was a question of 'Activate Windows'.

But MS, who were demanding this action, wouldn't allow me to do it. Was most frustrating experience imaginable.

Will follow all other instructions, but request reassurance re Malawarebytes..

Can you help if I'm locked out again (for the third time)?

Thanks always



#11 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 07 November 2014 - 06:38 PM

It was for Malwarebytes antirootkit.This is another one.

Microsoft Security Essentials is another one.

 

Thank you!



#12 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 07 November 2014 - 06:43 PM

I don`t believe Malwarebytes will deactive your Windows.



#13 Pearguy

Pearguy
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 08 November 2014 - 09:48 AM

Hi Alex&Vanko

 

Ok, I have performed the AdvCleaner and JRT scans and will post the results beneath this dialog. Just a couple of questions before I continue.

 

Is this a different version of Malawarebytes? When I downloaded it the icon looked like a pointed jackhammer and it had the word rootkit in its name...

I trust you, and the tool, but I'm just not so sure about trusting Microsoft or my Os installer.  If it's necessary to fix my problem then I shall of course run it.

 

If I'm not blocked from my  windows account I will defrag as you suggest. How can I tell if my drive is SSD?

 

I will also follow the advice to remove second AV program but I don't know what/where it is, I only knew about Avira. Could the other one be a native Windows application?

Thank you for all help so far.

 

EDIT:

Although I don't understand the scan logs, I saw the words "Repaired" and "Removed" repeated a number of times. Encouraging, so I logged back into Windows and Lasaoren seems to have vanished! Relief! Man, Thank you!

Do I still need to run Malawarebytes? I will if it's necessary. I will wait for your instructions on this before  performing the ESET tasks.

 

 

2nd EDIT:

I've found the culprit. With the hijacker gone I was able to start Firefox, which opened my last session. It seems I downloaded a "safe" program called DivX as one of my last actions. Seems I'm not the only one,

 

https://forums.divx.com/divx/topics/chrome_warns_divx_update_is_malicious?topic-reply-list[settings][filter_by]=all

 

The program folder labelled 'DivX' is empty, but the setup disk in 'Add or Remove..' cannot be removed. Every time I click 'remove' a dialog box appears saying "DivX setup has encountered a problem and needs to close"

The only way to get rid of this dialog box is to shut down Windows.

I guess I'm still infected?

 

 

 

# AdwCleaner v4.100 - Report created 08/11/2014 at 13:37:15
# DB v2014-11-07.1
# Updated 08/11/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : simon - SIMON1
# Running from : C:\Documents and Settings\simon\My Documents\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Documents and Settings\All Users\Application Data\2308189059
Folder Deleted : C:\Documents and Settings\All Users\Application Data\SaleItCoupon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\shopndrop
Folder Deleted : C:\Documents and Settings\All Users\Application Data\e1af4b259004aede
Folder Deleted : C:\Documents and Settings\simon\Application Data\DigitalSites
Folder Deleted : C:\Documents and Settings\simon\My Documents\Optimizer Pro
[!] Folder Deleted : C:\Documents and Settings\simon\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bfaekmalldododidalckpccilpcdefme
[!] Folder Deleted : C:\Documents and Settings\simon\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bidobelmjjokapiopogdbcbclpipoedj
File Deleted : C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\mhie7ajo.default\user.js
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [termtutor@termtutor.com]
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{733413F4-5FB9-4EE9-8536-BF7AB1731A19}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6CB99040-7828-4C37-AC01-F15758F43E4D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6CB99040-7828-4C37-AC01-F15758F43E4D}
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\TermTutor
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Optimizer Pro_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Mozilla Firefox v33.0.3 (x86 en-GB)
 
[mhie7ajo.default\prefs.js] - Line Deleted : user_pref("extensions.kCB32MVUD3oeCtUu.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1url.indexOf(\"warnalert11.com\")>-1url.indexOf(\[...]
 
-\\ Google Chrome v
 
[C:\Documents and Settings\simon\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
[C:\Documents and Settings\simon\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : bfaekmalldododidalckpccilpcdefme
[C:\Documents and Settings\simon\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : bidobelmjjokapiopogdbcbclpipoedj
 
*************************
 
AdwCleaner[R0].txt - [3662 octets] - [08/11/2014 13:31:51]
AdwCleaner[S0].txt - [3649 octets] - [08/11/2014 13:37:15]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3709 octets] ##########

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.7 (11.08.2014:1)
OS: Microsoft Windows XP x86
Ran by simon on 08/11/2014 at 13:45:14.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-1844237615-1004336348-682003330-1003\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A25AC313-DD19-4238-ACA2-401D6BEE4321}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{A25AC313-DD19-4238-ACA2-401D6BEE4321}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Documents and Settings\simon\Application Data\getrighttogo"
 
 
 
~~~ FireFox
 
Successfully deleted: [File] C:\Documents and Settings\simon\Application Data\mozilla\firefox\profiles\mhie7ajo.default\searchplugins\avira-safesearch.xml
Successfully deleted the following from C:\Documents and Settings\simon\Application Data\mozilla\firefox\profiles\mhie7ajo.default\prefs.js
 
user_pref("browser.search.defaultenginename", "Lasaoren");
user_pref("browser.search.selectedEngine", "Lasaoren");
user_pref("extensions.srchlsrn.hmpgUrl", "hxxp://Lasaoren.com/?f=1&a=lrn_ggfc_14_45_ff&cd=2XzuyEtN2Y1L1QzutDtDtD0FtBtDyBtByDzyyBtCtB0E0DtBtN0D0Tzu0StCtDtAzytN1L2XzutAtFyCtFtDt
user_pref("extensions.srchlsrn.newTabUrl", "hxxp://Lasaoren.com/?f=2&a=lrn_ggfc_14_45_ff&cd=2XzuyEtN2Y1L1QzutDtDtD0FtBtDyBtByDzyyBtCtB0E0DtBtN0D0Tzu0StCtDtAzytN1L2XzutAtFyCtFt
user_pref("extensions.srchlsrn.prtnrId", "WSE_Lasaoren");
user_pref("extensions.srchlsrn.srchPrvdr", "Lasaoren");
user_pref("extensions.srchlsrn.tlbrSrchUrl", "hxxp://Lasaoren.com/?f=3&a=lrn_ggfc_14_45_ff&cd=2XzuyEtN2Y1L1QzutDtDtD0FtBtDyBtByDzyyBtCtB0E0DtBtN0D0Tzu0StCtDtAzytN1L2XzutAtFyCt
Emptied folder: C:\Documents and Settings\simon\Application Data\mozilla\firefox\profiles\mhie7ajo.default\minidumps [1 files]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 08/11/2014 at 13:55:10.07
End of JRT log


Edited by Pearguy, 08 November 2014 - 11:37 AM.


#14 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:41 PM

Posted 08 November 2014 - 01:12 PM

which opened my last session. It seems I downloaded a "safe" program called DivX as one of my last actions

Give me the link from Firefox history to experiment.I have DivX Setup it is a video Codec.

I want icon1356707420.jpgDownload Malwarebytes' Anti-Malware Free

Not logo.jpgDownload Malwarebytes Anti-Rootkit

 

If we hit something may restore from quarantine.Also ESET I want.

 

Microsoft Security Essential is not built in Windows Xp also cannot come through Windows Update.

Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)

You have it.

Yes we are on right way but need some more instruments to get rid of.

 

Thank you!



#15 Pearguy

Pearguy
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 08 November 2014 - 05:41 PM

The first link is the the last History entry before the hijack but looking at it now it doesn't mention 'DivX' and seems to be a Mozilla plug-in. Strange.

 

http://www.clickvideodownload.com/getting_started.php

 

This is the next FF history entry after the above download page

 

http://uk.yhs4.search.yahoo.com/yhs/search?hspart=ironsource&hsimp=yhs-fullyhosted_003&type=lrn_gg

 

The above would have been my attempt the next morning to deal with the problem. Yahoo was the site to which Lasaoren re-directed me. At this point I had no access to any other browser.

 

 

In case the first link is innocent  here's another from just before '1click Videodownload'

 

http://thefreeultimatecodecs.com/ultimate-codecs/welcome/oc/?iv=12

 

Strange thing, when I first opened the FF history, the entry right after "1 Click Video Download" was "Lasaoren Uninstall". I was going to copy it here in case it might be useful to you, but it took ages to load the tab so I stopped it. When I clicked the FF history window again, the Lasaoren Uninstall entry had vanished,

 

This is what was downloaded when I followed your link for Malawarebytes:

mbar-1.07.0.1012

Malwarebytes Anti-Rootkit

Malwarebytes Corp.

 

The icon is definitely the second one you posted (jackhammer), not the first one that you want (bat in flight?)

I downloaded directly from your link. I'll try again using the link from your last post tomorrow morning.

 

Hope the above library links are useful.

 

Thanks as always.


Edited by Pearguy, 08 November 2014 - 05:43 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users