persistent popups

Discussion in 'Malware Help (A Specialist Will Reply)' started by dweiss792, Apr 12, 2008.

  1. dweiss792

    dweiss792 Private E-2

    here is the hijackthis log
    thanks in advance

    Logfile of Trend Micro HijackThis v2.0.2
     
    Last edited by a moderator: Apr 12, 2008
    dweiss792, Apr 12, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 12, 2008
    #2
  3. dweiss792

    dweiss792 Private E-2

    ran thru the read & run procedures. could not get combofix to work. logs are attached.
     

    Attached Files:

    dweiss792, Apr 13, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run it exactly as requested? Did you run it after the other 3 scans were already run? What happens?

    You need to cleanup your Desktop as soon as possible. You have way to much unnecessary junk on your Desktop. Malware loves to hide on cluttered Desktops.



    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {44BA4EFC-CCAD-4888-8AF8-F20DB20E8B71} - C:\Program Files\NetMeeting\ryfyjo4444.dll (file missing)
    O2 - BHO: (no name) - {8D7A6019-5195-4709-9175-C92B1D0E8EA3} - C:\WINDOWS\system32\nnnli.dll (file missing)
    O2 - BHO: (no name) - {a0beae70-dae4-40fb-b333-d00fab59b02a} - (no file)
    O2 - BHO: (no name) - {F3D57CA3-48A0-4456-BBC6-F23DCE37398F} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
    O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
    O20 - Winlogon Notify: byxxvtq - byxxvtq.dll (file missing)
    O20 - Winlogon Notify: ssttttr - ssttttr.dll (file missing)

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 13, 2008
    #4
  5. dweiss792

    dweiss792 Private E-2

    ran everything in order the first time. combofix just opened the box with a blinking curser that did nothing for a long time.

    just tried again and it worked this time. log is attached.

    then went thru your suggested process. other logs are also attached.

    trend micro popped a warning about freeloader smitfraud but did not delete it.

    web popups seem to have subsided.

    dumped a bunch of stuff from the desktop. there are a couple of hidden folders, _vti_cnf and _vti_pvt, and a couple of files Thumbs.db and ZbThumbnail.info, plus a couple of other files fphover.class and fphoverx.class. don't know what these are.
     

    Attached Files:

    dweiss792, Apr 14, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those are okay.

    A file for your Sun Java seems to be missing and is causing the below to show in your HijackThis log:
    You should reinstall Sun Java from the below link:

    Sun Java Runtime Environment


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Other than the above, your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    3. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had you run Avenger, you can delete all files related to Avenger now.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 14, 2008
    #6
  7. dweiss792

    dweiss792 Private E-2

    Everything done and all seems to be working just fine now. You are my hero.

    Your last instruction ended with -
    "After doing the above, you should work thru the below link:"

    no link followed. was there supposed to be more?

    tia
     
    dweiss792, Apr 16, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Sorry about that! Just a copy and paste error. Here is the link:

    How to Protect yourself from malware!
     
    chaslang, Apr 18, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds