also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot

[Active] Followed The 8-Step Removal Guide - Help Please

Discussion in 'Virus and Malware Removal' started by Anno, Nov 8, 2010.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Anno Newcomer, in training

    Any help with the possible causes of why I have lost online abilty also welcomed as having to use a neighbour's to check my email and replies here is a pain!!! ;-)
    Anno, Nov 12, 2010
    #21

  2. Bobbye Helper on the Fringe

    There should be a section in the OTMoveIt log, at the bottom, after this "User: NewUser
    ->Temp folder emptied: 2005085 bytes" that lists the Files that were moved. Please see if you have it and just copy that part into next reply.

    There is also a line missing from the end of the Combofix log header- at the to of Combofix. It tells me what the AV is, what the FW is, and if they are disabled and updated.
    .[/QUOTE]
    =====================================
    Please run the following: Security Check

    Download Security Check and save it to your Desktop.
    • Double-click SecurityCheck.exe to run.
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
    ======================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    =========================================
    Do any of the original problems remain? Are there any new problems?
    Bobbye, Nov 12, 2010
    #22

  3. Anno Newcomer, in training

    Hey Bobbye.
    I can't find the first thing you mentioned.



    Top of Combofix....

    ComboFix 10-11-07.A2 - NewUser 11/11/2010 20:20:02.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.672 [GMT 0:00]
    Running from: c:\documents and settings\NewUser\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\NewUser\Desktop\CFScript.txt.txt

    FILE ::
    "c:\program files\common files\roxio shared\12.0\sharedcom\roxmediadb12.exe"
    "c:\program files\common files\roxio shared\12.0\sharedcom\roxwatch12.exe"
    "c:\program files\roxio creator 2009\digital home 11\roxioupnprenderer11.exe"
    "c:\windows\system32\drivers\tffsmon.sys"
    "c:\windows\system32\drivers\tfnetmon.sys"
    "c:\windows\system32\drivers\tfsysmon.sys"





    Security Check

    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Malwarebytes' Anti-Malware
    TuneUp Utilities
    TuneUp Utilities Language Pack (en-US)
    CCleaner
    Java(TM) 6 Update 19
    Out of date Java installed!
    Adobe Flash Player 10.1.85.3
    Adobe Reader 9.3.4
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    ````````````````````````````````
    DNS Vulnerability Check:
    Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

    ``````````End of Log````````````




    Hijack This

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 13:49:54, on 17/11/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\3\3Connect\BecHelperService.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
    C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    C:\Program Files\VideoLAN\VLC\vlc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/?ref=hp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\NewUser\LOCALS~1\Temp\IXP000.TMP\"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\NewUser\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
    O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\NewUser\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: cbXQkihI - Invalid registry found
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: BecHelperService - Unknown owner - C:\Program Files\3\3Connect\BecHelperService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
    O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
    O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    O23 - Service: VUAgent - Sony Corporation - C:\Program Files\Sony\VAIO Update 5\VUAgent.exe

    --
    End of file - 6720 bytes



    Whenever I boot up it shows a screen asking me which operating system to use, and auto selects XP. I still have disabled internet, both hardwired and wireless. Browser hijack no longer an issue though!
    Thanks again for your help in trying to resolve it for me.

    .Anno
    Anno, Nov 17, 2010
    #23

  4. Bobbye Helper on the Fringe

    What is 'the first thing I mentioned?'

    I'm having a problem resolving the contents of some of the entries in the various logs. They aren't consistent, such as the AV program. Is this a pirated operating system?

    Have you or the Administrator set this:
    # 06 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    Control Panel present: You or an administrator has set a policy which restricts access to the 'Internet options' from within the IE or in the control panel.

    Are you aware of it? Are you the owner and/or Administrator of this system?

    Please disable TuneUp Utilities while I am helping you.

    C:\Program Files\3\3Connect\BecHelperService.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\NewUser\LOCALS~1\Temp\IXP000.TMP\"
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O20 - Winlogon Notify: cbXQkihI - Invalid registry found
    O23 - Service: BecHelperService - Unknown owner - C:\Program Files\3\3Connect\BecHelperService.exe
    O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe (file missing)
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
    O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

    Close all Windows except HijackThis and click on "Fix Checked."
    =========================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Click on Start> Run> type in services.msc> Find each of the following and set Startup type to Disabled> Stop the Services:
    TuneUp.Defrag
    TuneUp.UtilitiesSvc
    Exit Services. You can reenable these when we are finished.
    Bobbye, Nov 17, 2010
    #24

  5. Anno Newcomer, in training

    Hey Bobbye.

    It isn't a pirated operating system, and I am the administrator. I am not aware of anything being changed regarding the internet settings.

    What may have happened is that before I changed anything i set a system restore point, and then when my internet connections failed I restored to this earlier point. This may have caused the inconsistencies, and if so I apologize for the confusion.

    The browser hijack problem seemed to have been resolved but the main issue now is that I cannot connect to the interent either wirelessly or networked. Ipconfig shows ip addresses with all zero's.

    I have removed TuneUp for now, and removed the list in Hijack This.

    A.
    Anno, Nov 23, 2010
    #25

  6. Bobbye Helper on the Fringe

    Have you done a System Restore since I've been helping you? Did you do the restore before or after you ran the scans for these logs?

    See if this will get you reconnected:
    How To Release and/or Renew IP Addresses on Windows XP
    • Click Start> Run> type in cmd
    • Type ipconfig /release if the computer is holding a current IP address
    • Then type ipconfig /renew to obtain a new IP address (whether or not the computer is holding a current address).

    To bring a computer back onto the network after moving it to a different location, or experiencing an unexpected outage, first release, then renew the IP address. Computers on DHCP networks often (but not always) re-establish network connectivity automatically.
    Bobbye, Nov 23, 2010
    #26

  7. Anno Newcomer, in training

    Hey Bobbye.

    I did the original scans BEFORE the system restore, but some of them may have been after. I realise this may have caused the inconsistencies but I just wanted to resolve the connection problem, which the restore didn't do. It went offline after the initial changed were made. If it means startinf from scratch so that you have an accurate report then my bad.

    I have tried the release/renew but this has no effect. It says it has already been released and still shows ip address as 0's.

    Help......

    A.
    Anno, Nov 24, 2010
    #27

  8. Bobbye Helper on the Fringe

    Can you contact your ISP and get the information you need for the settings?
    Bobbye, Nov 25, 2010
    #28

  9. Anno Newcomer, in training

    Internet issue resolved. :)
    Anno, Nov 26, 2010
    #29

  10. Bobbye Helper on the Fringe

    That's good news! Are there any other problems related to the malware remaining?
    Bobbye, Nov 26, 2010
    #30
Page 2 of 2
Thread Status:
Not open for further replies.