Coworker's HJT

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lbmest, Apr 17, 2006.

  1. lbmest

    lbmest MajorGeek

    Coworker's comp - Dell Optiplex GX270, P4, 3.00Ghz, 1 Gb Ram, XP Pro SP2 fully updated
    IE browser popups lastweek. Coworker did some scans in Normal & Safe Modes. Not sure exactly what.
    Have CCleaner, Spybot S&D, Ad-Aware SE, Spywareblaster & NISP 2004 installed. System Restore was turned off. Problem was thought to be solved.
    This AM more popups on IE. Coworker went home sick.
    Step 0 - Nothing unusual in Add/Remove. Nothing in Norton Protected.
    Step 1 - System restore already off.
    Step 2 - Folders shown.
    Step 3 - NISP 2004 only
    Step 4 - DL'ed MS Defender, Win Malicious, HJT, CWShredder, Kill2Me
    Step 5 - Booted Safe Mode. Ran CCleaner.
    Ran Win Malicious - None
    Ran Ad-Aware - Found 3 Neg. MRU - removed
    Ran Spybot - Found Smitfraud-C. (2), Vcodec (1) - 3 fixed
    Screwed up on install of MS Defender. Rebooted Normal. DL'ed Defender and updated Spybot.
    Rebooted Safe Mode, reran Spybot - Found Spyware Quake (2), Vcodec (2), Zlob.Downloader (2) Fixed 6
    MS Defender Quick Scan - Nothing. Full Scan - Nothing
    CWShredder - Nothing
    Kill2Me - Nothing
    Step 6 - Rebooted Safe w/Networking
    Bitdefender - saved log
    PandaScan - Couldn't get to save report button.
    Step 7 - Rebooted Normal. Opened IE. Browser goes to (safetydefender dot com)?
    Ran HJT from C:\HJT. Attached log
    Leaving work now, will look at early AM tomorrow. TIA
     

    Attached Files:

    lbmest, Apr 17, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run all steps in the below (ignore the fact that you may not find all items mentioned and just complete all steps):

    SpywareQuake Removal Procedure

    Attach the smitfiles.txt log when finished and tell me your current status.

    Also attach a new HJT log.
     
    chaslang, Apr 18, 2006
    #2
  3. lbmest

    lbmest MajorGeek

    Completed all steps. Nothing found in Add/Remove, No files to delete in WINDOWS\system32, No files or folders found to delete after Normal reboot.
    IE goes to correct home page. File and HJT attached.
     

    Attached Files:

    lbmest, Apr 18, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you need the below Proxy Server setting for work?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp7455.tmp (file missing)
    O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Apr 18, 2006
    #4
  5. lbmest

    lbmest MajorGeek

    Hey chaslang,
    Everything seems to be running fine. No popups or browser redirects yesterday. Early AM today did all steps. Do need the R1 entry for work.
    When I rebooted to Normal, it took the normal length of time. I looked at Task Manager and CPU usage was at 0% - 2% except for spikes when Norton processes clicked in.
    If there is anything else, let me know. I appreciate the job you guys do as do many others.
    Thanks!:)
     

    Attached Files:

    lbmest, Apr 19, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 19, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds