Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Are there any nasties left..?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Are there any nasties left..?

Unread postby Jasonm » January 10th, 2009, 4:47 am

Hello all.
I recently recieved a call from my brother in law asking if i could look at his laptop, it had no AV running or any other protection at all, it had spyware infected on the desktop and probably a whole lot more. I installed Eset Nod32, scanned and it found and fixed 8 problems, i then installed and ran Malwarebytes Anti-Malware, this found 4 problems, one of them being the desktop hijacker.
Could someone have a look at his Hijackthis log and see if there is anything else i need to do please...

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:49:07, on 03/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Documents and Settings\Ellis\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {0846276E-4539-F77E-477A-1EF23204BFBA} - (no file)
O2 - BHO: (no name) - {0A1C8A5D-9929-2FC4-9A72-0FFCEC2D7347} - (no file)
O2 - BHO: (no name) - {0E368392-AD4F-5461-2A9A-288167712596} - (no file)
O2 - BHO: (no name) - {16B05DC6-B860-235A-E7C1-ABDA898678EE} - (no file)
O2 - BHO: (no name) - {1EB9A5C3-8BE0-1184-BF52-28550086EC10} - (no file)
O2 - BHO: (no name) - {1FA74F44-BE14-6F79-094E-4760D87A1B13} - (no file)
O2 - BHO: (no name) - {209F8E8B-6292-6C42-3CE2-9DCDECC213E7} - (no file)
O2 - BHO: (no name) - {2B7E95AD-F49A-B2B2-7702-10D4ABFF9B32} - (no file)
O2 - BHO: (no name) - {3D2ACA16-3F1C-BF97-6524-0F7072E1E895} - (no file)
O2 - BHO: (no name) - {46034628-821C-05B4-C227-B5A0FC40FCAF} - (no file)
O2 - BHO: (no name) - {53C401D0-C173-7E8D-D257-350927DE1763} - (no file)
O2 - BHO: (no name) - {570A9ABC-3DEC-8AF2-66E8-9567944E201C} - (no file)
O2 - BHO: (no name) - {595E7E6F-2779-C942-CAB8-55911996604D} - (no file)
O2 - BHO: (no name) - {66BE36B4-FD1C-B850-4827-ECA932D53C44} - (no file)
O2 - BHO: (no name) - {68454196-47E8-C18D-A500-7C44E2066D18} - (no file)
O2 - BHO: (no name) - {783B9D22-B9F2-EDFC-3D2B-4F6A3D1BCF1B} - (no file)
O2 - BHO: (no name) - {7A97DD77-2070-7617-3461-0E4D0FF7624D} - (no file)
O2 - BHO: (no name) - {81BC3EBA-35E5-E622-0BAD-7095B849C484} - (no file)
O2 - BHO: (no name) - {88B9E4D2-1DFD-E365-CABB-E7124F455F33} - (no file)
O2 - BHO: (no name) - {9291DF23-029D-DC8D-B7E6-64BEFF3F25AF} - (no file)
O2 - BHO: (no name) - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - (no file)
O2 - BHO: (no name) - {9B936827-936D-A301-874F-BB34B7DB33C5} - (no file)
O2 - BHO: (no name) - {A7965648-2D3D-951F-7592-B85CE722DB02} - (no file)
O2 - BHO: (no name) - {A927D1F4-E735-581F-E8AF-CE5C50848FE7} - (no file)
O2 - BHO: (no name) - {A98BEA99-7B4B-FA3E-03F1-10C3D1AE7212} - (no file)
O2 - BHO: (no name) - {B8830155-DABD-263E-9DB0-B251233F575C} - (no file)
O2 - BHO: Class - {B9B28B37-0877-7E49-286C-63D980817566} - C:\WINDOWS\ipox.dll (file missing)
O2 - BHO: (no name) - {BAC8C44D-2112-AF01-7896-5BA9C152A8BC} - (no file)
O2 - BHO: (no name) - {C7E432B3-827D-F05D-1512-2D9B010AAF54} - (no file)
O2 - BHO: (no name) - {CC67ADD3-8236-844B-5732-907E26BCF629} - (no file)
O2 - BHO: (no name) - {D6F96C8F-4512-A517-5DA8-FB1C35C3D1C0} - (no file)
O2 - BHO: (no name) - {E570DCA4-C521-2B7F-EB9D-E2F8DD25DF6B} - (no file)
O2 - BHO: (no name) - {E92EFA08-05B6-5902-325B-EF61C5EC29A7} - (no file)
O2 - BHO: (no name) - {EA196353-618C-D58B-907A-4C6567ABB42B} - (no file)
O2 - BHO: (no name) - {F6F49380-F6BB-3D04-920B-C960D86C67BC} - (no file)
O2 - BHO: (no name) - {FF756452-2FA2-7C43-6CAF-070E594D543C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: Wanadoo Search - file://C:\Program Files\WANADOO1\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 7563 bytes
Jasonm
Active Member
 
Posts: 1
Joined: January 10th, 2009, 4:43 am
Advertisement
Register to Remove

Re: Are there any nasties left..?

Unread postby muppy03 » January 13th, 2009, 1:46 am

Hello and welcome to the Malware Removal Forums

I will be assisting you with your Malware issues.

IMPORTANT

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean!
  • If you have any questions or are unsure in anyway, please let me know. I will try my best to help you!
  • Please reply to this thread. Do not start a new topic.
  • As I am still in training, everything that I post to you, must be checked by one of the teachers. Therefore, there may be a slight delay between posts.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Are there any nasties left..?

Unread postby muppy03 » January 16th, 2009, 8:27 am

Hi Jason, :flower:

Please go to Virus Total or Jotti
and upload C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe for scanning.
For Virus Total
1. Please copy and paste C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe in the text box next to the Browse button.
2. Click on Send File.
For Jotti
1. Please copy and paste C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe in the text box next to the Browse button.
2. Click on Submit.

Please post back the results of the scan in your next post.


Move HiJackThis
Your copy of HijackThis needs to be in a folder of it's own in the root directory, not the Desktop . When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file or from Temporary folders because the backups will be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Go to your My Documents folder, right-click and select New > Folder then name the folder HJT.
  • Copy and paste HijackThis.exe to the new folder.

Once that is done open Hijack This and select Do a System Scan Only place a check next to the below lines if present

    O2 - BHO: Class - {B9B28B37-0877-7E49-286C-63D980817566} - C:\WINDOWS\ipox.dll (file missing)
    O2 - BHO: (no name) - {0846276E-4539-F77E-477A-1EF23204BFBA} - (no file)
    O2 - BHO: (no name) - {0A1C8A5D-9929-2FC4-9A72-0FFCEC2D7347} - (no file)
    O2 - BHO: (no name) - {0E368392-AD4F-5461-2A9A-288167712596} - (no file)
    O2 - BHO: (no name) - {16B05DC6-B860-235A-E7C1-ABDA898678EE} - (no file)
    O2 - BHO: (no name) - {1EB9A5C3-8BE0-1184-BF52-28550086EC10} - (no file)
    O2 - BHO: (no name) - {1FA74F44-BE14-6F79-094E-4760D87A1B13} - (no file)
    O2 - BHO: (no name) - {209F8E8B-6292-6C42-3CE2-9DCDECC213E7} - (no file)
    O2 - BHO: (no name) - {2B7E95AD-F49A-B2B2-7702-10D4ABFF9B32} - (no file)
    O2 - BHO: (no name) - {3D2ACA16-3F1C-BF97-6524-0F7072E1E895} - (no file)
    O2 - BHO: (no name) - {46034628-821C-05B4-C227-B5A0FC40FCAF} - (no file)
    O2 - BHO: (no name) - {53C401D0-C173-7E8D-D257-350927DE1763} - (no file)
    O2 - BHO: (no name) - {570A9ABC-3DEC-8AF2-66E8-9567944E201C} - (no file)
    O2 - BHO: (no name) - {595E7E6F-2779-C942-CAB8-55911996604D} - (no file)
    O2 - BHO: (no name) - {66BE36B4-FD1C-B850-4827-ECA932D53C44} - (no file)
    O2 - BHO: (no name) - {68454196-47E8-C18D-A500-7C44E2066D18} - (no file)
    O2 - BHO: (no name) - {783B9D22-B9F2-EDFC-3D2B-4F6A3D1BCF1B} - (no file)
    O2 - BHO: (no name) - {7A97DD77-2070-7617-3461-0E4D0FF7624D} - (no file)
    O2 - BHO: (no name) - {81BC3EBA-35E5-E622-0BAD-7095B849C484} - (no file)
    O2 - BHO: (no name) - {88B9E4D2-1DFD-E365-CABB-E7124F455F33} - (no file)
    O2 - BHO: (no name) - {9291DF23-029D-DC8D-B7E6-64BEFF3F25AF} - (no file)
    O2 - BHO: (no name) - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - (no file)
    O2 - BHO: (no name) - {9B936827-936D-A301-874F-BB34B7DB33C5} - (no file)
    O2 - BHO: (no name) - {A7965648-2D3D-951F-7592-B85CE722DB02} - (no file)
    O2 - BHO: (no name) - {A927D1F4-E735-581F-E8AF-CE5C50848FE7} - (no file)
    O2 - BHO: (no name) - {A98BEA99-7B4B-FA3E-03F1-10C3D1AE7212} - (no file)
    O2 - BHO: (no name) - {B8830155-DABD-263E-9DB0-B251233F575C} - (no file)
    O2 - BHO: (no name) - {BAC8C44D-2112-AF01-7896-5BA9C152A8BC} - (no file)
    O2 - BHO: (no name) - {C7E432B3-827D-F05D-1512-2D9B010AAF54} - (no file)
    O2 - BHO: (no name) - {CC67ADD3-8236-844B-5732-907E26BCF629} - (no file)
    O2 - BHO: (no name) - {D6F96C8F-4512-A517-5DA8-FB1C35C3D1C0} - (no file)
    O2 - BHO: (no name) - {E570DCA4-C521-2B7F-EB9D-E2F8DD25DF6B} - (no file)
    O2 - BHO: (no name) - {E92EFA08-05B6-5902-325B-EF61C5EC29A7} - (no file)
    O2 - BHO: (no name) - {EA196353-618C-D58B-907A-4C6567ABB42B} - (no file)
    O2 - BHO: (no name) - {F6F49380-F6BB-3D04-920B-C960D86C67BC} - (no file)
    O2 - BHO: (no name) - {FF756452-2FA2-7C43-6CAF-070E594D543C} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Once selected close all windows except HJT an click on Fix Checked

REBOOT

Next Using Windows Explorer, locate the following file and delete if present.
To access Windows Explorer Right click the start button and select the explore option.

    C:\WINDOWS\ipox.dll


Next Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply along with a NEW HJT log and the results from Virus Total or Jotti
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Are there any nasties left..?

Unread postby Shaba » January 19th, 2009, 3:50 am

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware