MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 08-11-06, 00:14
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Security hijack help needed

Like others I have a computer with 2 security page problems. One creates the yellow triangle and popup message stating that I have a problem and click on the icon which goes to a web site. It is created to look like a windows message. The other issue is a home page hijack that take me to a security Security Center site name www dot homepagesecurity dot com I have tried for the last 6 hours to follow the Read and Run me first instructions. I was not able to get the bitdefender scan to work. After trying to download the virus definitions it gave me a message that it was unalbe to update them and the scan would not be accurate so I ended up skipping it. I am attaching the files suggested with the exception of the bit defender. I am running Norton antivirus 2006 and the definitions were up todate last night and Idid a complete scan. I am working on my daughters computer (23 y/o and not living at home) so I only get to work on it in the eveninigs so if I am slow responding it is not be design. I have 12 hours into this now. It appeared after a friend surfed some porn sites, or so the story goes. I will send the getrunkey and shownew as soon as I can find them. I think they are under the administrator acount as I ran them from both users. ANy help is greatly appreciated.
Attached Files
File Type: log hijackthis.log (10.1 KB, 5 views)
File Type: txt Activescan.txt (6.8 KB, 2 views)
Reply With Quote
Sponsored links
  #2  
Old 08-11-06, 00:25
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

Here are the runkeys and newfiles attachments. When I ran the MS Windows malicious software removal it came back with no malicious software. The Spybot S D found one microsoft WidowsSecurityCenter_disabled file and said it fixed it. Windows defender was run in safe mode. Thanks again for any help. AlasKen
Attached Files
File Type: txt newfiles.txt (20.9 KB, 3 views)
File Type: txt runkeys.txt (12.9 KB, 1 views)
Reply With Quote
  #3  
Old 08-11-06, 17:47
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

I am not sure if it matters but I noticed my email address was incorrect in my profile so I corrected it. Thanks in advance for your help. AlasKen
Reply With Quote
  #4  
Old 08-12-06, 17:28
Shadow_Puter_Dude's Avatar
Shadow_Puter_Dude Shadow_Puter_Dude is offline
MG Authorized Malware Fighter
 
Join Date: Apr 2005
Location: Northern NY
Posts: 8,845
Thanks: 1
Thanked 68 Times in 66 Posts
Default Re: Security hijack help needed

Do you have a log from the BitDefender Online Scan?
__________________
Kevin Zoll
Emsisoft Team - www.emsisoft.com


"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Reply With Quote
  #5  
Old 08-12-06, 20:04
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

I could not get bitdefender to run. It would get about 70% through loading virus definitions then would throw and unable to load virus definitions messageand state that a scan would be inaccurate so I didn't run that scan. I did run a Norton scan. Thanks..AlasKen
Reply With Quote
Sponsored links
  #6  
Old 08-12-06, 22:53
Shadow_Puter_Dude's Avatar
Shadow_Puter_Dude Shadow_Puter_Dude is offline
MG Authorized Malware Fighter
 
Join Date: Apr 2005
Location: Northern NY
Posts: 8,845
Thanks: 1
Thanked 68 Times in 66 Posts
Default Re: Security hijack help needed

Download
- Pocket Killbox

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.
Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
"homepage.monitor.exe"=-
"pmsngr.exe"=-
Close Notepad.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:
Quote:
C:\Program Files\IntCodec\isamonitor.exe
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmmon.exe
C:\Program Files\IntCodec\isamini.exe
Choose Kill Process. Click on the "Back" Button

Click the 'Scan' button. Place a checkmark in the box next to the following lines:
Quote:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...//www.msn.com/
O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll
O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/59/EN/html/gtdownlr.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:
  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    Quote:
    c:\GatorPatch.log
    c:\keys.ini
    c:\documents and settings\all users\desktop\Online Security Guide.url
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GDIFKPEB\safetyhomepage[2].htm
    C:\Program Files\IntCodec\iesplugin.dll
    C:\Program Files\IntCodec\isaddon.dll
    C:\Program Files\IntCodec\isamini.exe
    C:\Program Files\IntCodec\isamonitor.exe
    C:\Program Files\IntCodec\pmmon.exe
    C:\Program Files\IntCodec\pmsngr.exe
    c:\winnt\ss3unstl.exe
    C:\WINNT\system32\cd_clint.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)
Quote:
c:\GatorPatch.log <<=== Delete the File
c:\keys.ini <<=== Delete the File
c:\documents and settings\all users\desktop\Online Security Guide.url <<=== Delete the File
C:\Program Files\IntCodec <<=== Delete the Folder
c:\winnt\ss3unstl.exe <<=== Delete the File
C:\WINNT\system32\cd_clint.dll <<=== Delete the File
Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin


And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.
__________________
Kevin Zoll
Emsisoft Team - www.emsisoft.com


"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Reply With Quote
  #7  
Old 08-14-06, 21:13
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

Thank you very much. I attempted to follow your instructions and I think things worked

When I ran HJT process manager non of the processes on your list were listed so I had nothing to kill.

The next process for fixing the checked files seemed to work as expected.

I ran Killbox and all seemed to work.

I did not get the PendingFileRenameOperations.

When I went to Windows Explorer the only file I found was C:\Program FIles\intCodec folder and I deleted it with no problem.

I ran CCleaner

And then deleted the contents of WINNT\Prefetch and deleted 17 items.

I ran cleanmgr and selected the files stated.

On reboot I was able to set my homepage without a hi jack. Very cool. I haven't received teh other annoying popups either.

I am attaching the new HJT file

I truly appreciate the time you spent on this.

AlasKen
Attached Files
File Type: log hijackthis.log (8.7 KB, 0 views)
Reply With Quote
  #8  
Old 08-14-06, 21:57
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

I have also followed the thread on "How to protect yourself from malware" to try and prevent future occurrances. I have not reset the system point recovery until I know it is time. Thanks again. AlasKen
Reply With Quote
  #9  
Old 08-14-06, 22:03
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

Oops. After reviewing all the steps I realized that I forgot to rename HighJackThis so I renamed it and ran it again. Sorry for the inconvenience. Again thanks for the help. AlasKen
Attached Files
File Type: log hijackthis.log (9.0 KB, 1 views)
Reply With Quote
  #10  
Old 08-14-06, 22:08
Shadow_Puter_Dude's Avatar
Shadow_Puter_Dude Shadow_Puter_Dude is offline
MG Authorized Malware Fighter
 
Join Date: Apr 2005
Location: Northern NY
Posts: 8,845
Thanks: 1
Thanked 68 Times in 66 Posts
Default Re: Security hijack help needed

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Otherwise your log is clean.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.
__________________
Kevin Zoll
Emsisoft Team - www.emsisoft.com


"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Reply With Quote
Sponsored links
  #11  
Old 08-14-06, 22:12
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

Dude your the best.

Not sure why JAVA was out of date as I downloaded it over the weekend. No matter I will try again. I am very thankful for your help. However my daughter is even happier!!! Thanks..AlasKen
Reply With Quote
  #12  
Old 08-14-06, 22:17
Shadow_Puter_Dude's Avatar
Shadow_Puter_Dude Shadow_Puter_Dude is offline
MG Authorized Malware Fighter
 
Join Date: Apr 2005
Location: Northern NY
Posts: 8,845
Thanks: 1
Thanked 68 Times in 66 Posts
Default Re: Security hijack help needed

Quote:
Originally Posted by AlasKen
Dude your the best.

Not sure why JAVA was out of date as I downloaded it over the weekend. No matter I will try again. I am very thankful for your help. However my daughter is even happier!!! Thanks..AlasKen
The update to Java was just released the other day.

You're welcome.
__________________
Kevin Zoll
Emsisoft Team - www.emsisoft.com


"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Reply With Quote
  #13  
Old 08-14-06, 23:28
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

All nasties appear to be gone. Great job and thanks.

As a followup when I start it seems to take a long time ~5 minutes before everything loads. It seems that a lot of processes are starting in the background. While the load takes place everything slows to a crawl even though NAV and other process appear to be finished. Screens get choppy and you can see the screen refresh taking place. Once everything loads everything sppeds back up. Would this be something I should ask about on the software forum? I will start a new thread if that is appropriate. Thanks again for the help.
Reply With Quote
  #14  
Old 08-15-06, 17:22
Shadow_Puter_Dude's Avatar
Shadow_Puter_Dude Shadow_Puter_Dude is offline
MG Authorized Malware Fighter
 
Join Date: Apr 2005
Location: Northern NY
Posts: 8,845
Thanks: 1
Thanked 68 Times in 66 Posts
Default Re: Security hijack help needed

Determine what you don't need to load when windows starts, then configure the programs to not load at system start.
__________________
Kevin Zoll
Emsisoft Team - www.emsisoft.com


"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Reply With Quote
  #15  
Old 08-16-06, 18:28
AlasKen AlasKen is offline
Private First Class
 
Join Date: May 2004
Location: Anchorage, AK
Posts: 45
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Security hijack help needed

:
Sorry to be dense but what is the proper way to determine what is actually loading at system start and how do I configure it? I do understand that msconfig is not the proper way to disable it but not sure if there is a tool to simplify the process. Thanks again. As an update my daughter reports that all is running with a heightened sense of safe surfing. Great job. AlasKen
Reply With Quote
Sponsored links
  #16  
Old 08-16-06, 19:29
Shadow_Puter_Dude's Avatar
Shadow_Puter_Dude Shadow_Puter_Dude is offline
MG Authorized Malware Fighter
 
Join Date: Apr 2005
Location: Northern NY
Posts: 8,845
Thanks: 1
Thanked 68 Times in 66 Posts
Default Re: Security hijack help needed

FOr the ones that use a registry enter they usually show in HijackThis, simply marking and click fix will remove the entry fromteh registry. Then the programs won't start. Others can be found in the Startup folder. Either under all users or the logged on user.
__________________
Kevin Zoll
Emsisoft Team - www.emsisoft.com


"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 19:21.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger