Jasonm Posted January 5, 2009 Posted January 5, 2009 Hello all. I recently recieved a call from my brother in law asking if i could look at his laptop, it had no AV running or any other protection at all, it had spyware infected on the desktop and probably a whole lot more. I installed Eset Nod32, scanned and it found and fixed 8 problems, i then installed and ran Malwarebytes Anti-Malware, this found 4 problems, one of them being the desktop hijacker. Could someone have a look at his Hijackthis log and see if there is anything else i need to do please... Thanks Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:49:07, on 03/01/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\STDSB.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\3\3Connect\AutoUpdateSrv.exe C:\Documents and Settings\Ellis\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing) O2 - BHO: (no name) - {0846276E-4539-F77E-477A-1EF23204BFBA} - (no file) O2 - BHO: (no name) - {0A1C8A5D-9929-2FC4-9A72-0FFCEC2D7347} - (no file) O2 - BHO: (no name) - {0E368392-AD4F-5461-2A9A-288167712596} - (no file) O2 - BHO: (no name) - {16B05DC6-B860-235A-E7C1-ABDA898678EE} - (no file) O2 - BHO: (no name) - {1EB9A5C3-8BE0-1184-BF52-28550086EC10} - (no file) O2 - BHO: (no name) - {1FA74F44-BE14-6F79-094E-4760D87A1B13} - (no file) O2 - BHO: (no name) - {209F8E8B-6292-6C42-3CE2-9DCDECC213E7} - (no file) O2 - BHO: (no name) - {2B7E95AD-F49A-B2B2-7702-10D4ABFF9B32} - (no file) O2 - BHO: (no name) - {3D2ACA16-3F1C-BF97-6524-0F7072E1E895} - (no file) O2 - BHO: (no name) - {46034628-821C-05B4-C227-B5A0FC40FCAF} - (no file) O2 - BHO: (no name) - {53C401D0-C173-7E8D-D257-350927DE1763} - (no file) O2 - BHO: (no name) - {570A9ABC-3DEC-8AF2-66E8-9567944E201C} - (no file) O2 - BHO: (no name) - {595E7E6F-2779-C942-CAB8-55911996604D} - (no file) O2 - BHO: (no name) - {66BE36B4-FD1C-B850-4827-ECA932D53C44} - (no file) O2 - BHO: (no name) - {68454196-47E8-C18D-A500-7C44E2066D18} - (no file) O2 - BHO: (no name) - {783B9D22-B9F2-EDFC-3D2B-4F6A3D1BCF1B} - (no file) O2 - BHO: (no name) - {7A97DD77-2070-7617-3461-0E4D0FF7624D} - (no file) O2 - BHO: (no name) - {81BC3EBA-35E5-E622-0BAD-7095B849C484} - (no file) O2 - BHO: (no name) - {88B9E4D2-1DFD-E365-CABB-E7124F455F33} - (no file) O2 - BHO: (no name) - {9291DF23-029D-DC8D-B7E6-64BEFF3F25AF} - (no file) O2 - BHO: (no name) - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - (no file) O2 - BHO: (no name) - {9B936827-936D-A301-874F-BB34B7DB33C5} - (no file) O2 - BHO: (no name) - {A7965648-2D3D-951F-7592-B85CE722DB02} - (no file) O2 - BHO: (no name) - {A927D1F4-E735-581F-E8AF-CE5C50848FE7} - (no file) O2 - BHO: (no name) - {A98BEA99-7B4B-FA3E-03F1-10C3D1AE7212} - (no file) O2 - BHO: (no name) - {B8830155-DABD-263E-9DB0-B251233F575C} - (no file) O2 - BHO: Class - {B9B28B37-0877-7E49-286C-63D980817566} - C:\WINDOWS\ipox.dll (file missing) O2 - BHO: (no name) - {BAC8C44D-2112-AF01-7896-5BA9C152A8BC} - (no file) O2 - BHO: (no name) - {C7E432B3-827D-F05D-1512-2D9B010AAF54} - (no file) O2 - BHO: (no name) - {CC67ADD3-8236-844B-5732-907E26BCF629} - (no file) O2 - BHO: (no name) - {D6F96C8F-4512-A517-5DA8-FB1C35C3D1C0} - (no file) O2 - BHO: (no name) - {E570DCA4-C521-2B7F-EB9D-E2F8DD25DF6B} - (no file) O2 - BHO: (no name) - {E92EFA08-05B6-5902-325B-EF61C5EC29A7} - (no file) O2 - BHO: (no name) - {EA196353-618C-D58B-907A-4C6567ABB42B} - (no file) O2 - BHO: (no name) - {F6F49380-F6BB-3D04-920B-C960D86C67BC} - (no file) O2 - BHO: (no name) - {FF756452-2FA2-7C43-6CAF-070E594D543C} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [sTDSB] C:\WINDOWS\System32\STDSB.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user') O4 - Global Startup: Update Agent.lnk = ? O8 - Extra context menu item: Wanadoo Search - http://file://C:\Program Files\WANADOO1\Cache\SelectedContextSearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- End of file - 7563 bytes Quote
BeeCeeBee Posted January 5, 2009 Posted January 5, 2009 (edited) Hi Jasonm and welcome to Extreme Tech Support - Free PC Help! Please understand that we are in no position to evaluate anyone's pc from an unsolicited hijackthis log. We would be doing nothing else. Based only on what you say and not the log you seem to be running pretty clean. However we have a very comprehensive malware detection and removal program. If you wish you can run it and, once completed, you will be on pretty safe ground in telling your Brother in Law that he malware free. It is as follows: Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Required Cleanup Steps Disable the Spybot Search & Destroy TEA TIMER if you use it and if it is enabled Run a Temporary file and cache cleaner (ATF) Run 2 Anti-Malware scanners (Listed Below) Run an Online Anti-Virus / Anti-Malware Scanner (Listed Below) Clear out old System Restore points If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file, do not do so unless requested. The reason to run multiple scanners is to ensure that no single scanner is missing something. The time it takes will vary depending on your system and your internet connection speed. Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes. The ESET online scan should take between 1 to 3 hours. In most cases, these scans will suffice to clean and disinfect your computer. Heavily infected systems or slower PCs can take much longer to scan and clean. For best results print the following instructions and bookmark this Web page To keep this guide printer-friendly, use your cursor to highlight the contents below. From your browser select File - Print and in the printer dialog box under "Print range" click the Selection choice to print out these instructions for removal of malware. http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/printer-selection.gif ____________________________________________ STEP 1 Disable Spybot Search & Destroys' TEA TIMER: (if installed, if not go to Step 2) Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode" On the left hand side, Click on Tools Then click on the Resident Icon in the List Uncheck "Resident TeaTimer" and OK any prompts. Restart your computer. __________________________________________________ STEP 2 Follow these instructions carefully. Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware. When you run ATF-Cleaner, check the items as shown below for Main. For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored Then click on "Empty Selected". http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner01.gif. http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner02.gif __________________________________________________ STEP 3 Install and run the free version (not the Professional version) of SUPERAntiSpyware from SUPERAntiSpyware.com Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files. You do not have to send them your e-mail address, just click next. You can leave the automated check for updates on. You can uncheck "Send a diagnostic report to research center" if you don't want to send the information. DO NOT allow SUPERAntiSpyware to protect your Home Page settings. On the Top Left select the Scan your computer button. Make sure there is a CHECK MARK on all Fixed Drives. Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so. __________________________________________________ STEP 4 Install and run Malwarebytes' Anti-Malware from Malwarebytes - (direct download) Accept all defaults for the installer Allow the program to update the definitions Click on the Quick Scan and click Next. If any items are found allow it to clean them and then Reboot your computer. __________________________________________________ STEP 5 Run an online scan with ESET from Free Virus Scan: Use ESET's Online Antivirus Scanner You must use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan. If your computer is running Window's Vista, then you must first start Internet Explorer as an Administrator. To do so, right-click on the Internet Explorer icon in the Start Menu and select "Run as administrator" from the popup context menu. Accept the terms and click "Start". Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications". Click "Start" to begin the scan. When completed restart your computer __________________________________________________ Make sure your internet firewall security is enabled, and then please return to Extreme Tech Support - Free PC Help and tell us how the computer seems to be operating. At that time, you will receive instructions to assist you in removing malicious programs from your Add/Remove program list if warranted. If required this is the download link for TrendMicro™ HijackThis™ Unless instructed to by the Technician helping you then do not download this tool. Once you and the Technician agree that your system appears to be clean then you should delete all your System Restore points and recreate a new one. Please follow the instructions here How to turn off and turn on System Restore in Windows XP How to turn off and turn on System Restore in Windows Vista Edited January 5, 2009 by BeeCeeBee Quote "Familiarity breeds contempt - and children." Mark Twain
Jasonm Posted January 5, 2009 Author Posted January 5, 2009 Hello Beeceebee. Thanks for the quick reply, sorry if i have breached any rules with the log, would you like me to edit the post and remove it...? I will do the steps you have provided and get back with an update... Once again i would like to apologise and also thankyou for the reply... Quote
Goku Posted January 5, 2009 Posted January 5, 2009 Hello Beeceebee. Thanks for the quick reply, sorry if i have breached any rules with the log, would you like me to edit the post and remove it...? I will do the steps you have provided and get back with an update... Once again i would like to apologise and also thankyou for the reply... Hello Jason. Posting a HijackThis log is not a breach of rules but you must understand that in the present state, we do not have any Malware Specialists to look over your log. We are working hard to recruit some and when we are done, we will be able to assist with HijackThis logs too. Please don't take anything at heart and feel free to ask any more questions or doubts you may have. :) -- Goku Quote
BeeCeeBee Posted January 5, 2009 Posted January 5, 2009 No Jason you have done nothing wrong at all. I disagree with Goku in only one respect. We do have some capable people but it be opening a floodgate and we could never handle it. Generally we only respond to hijack this logs where we ask for them in special circumstances. Quote "Familiarity breeds contempt - and children." Mark Twain
Jasonm Posted January 5, 2009 Author Posted January 5, 2009 Thanks god for that.....lol I have used the site before and the response was fantastic so didn't want to rock the boat. I will do the above mentioned apps and report back ( may be a few days as i will have to go to the brother in laws to sort it out for him. ) Thanks again Quote
Guest Wolfeymole Posted January 5, 2009 Posted January 5, 2009 Jason As has been explained we are not in the position to adequately advise on HJT logs at this time. This is currently under review and we hope to have staff before long qualified to deal with HJT issues. In the meantime we would suggest that you go here with regard to your HJT log. MalWare Removal • Malware Removal - Website Home Page. Quote
Jasonm Posted January 5, 2009 Author Posted January 5, 2009 Thanks for the link, i'll give it a try but will check back here as well to see if the situation updates.. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.