IE issues, hacktool, pwdump, etc

Status
Not open for further replies.

cbrummell

Posts: 6   +0
Hi All,

I've had numerous problems but can't seem to shift them all. Have followed all of the steps in the 'before posting' section but still can't move them - Norton said that if I ran a scan in safe mode it would be able to delete the infections, but it wouldn't let me...

IE is now not working properly, locking up, opening additional windows, generally being weird...especially when using the address bar...

Firefox is ok for now but machine is generally not in a happy place...

Attached all the logs (HJT, MWbytes and SASpyware)...

Any help much appreciated! :)

Thanks,

Claire
 
I'm checking the logs. Mbam is clean, SuperAntispyware shows malware in the restore points. DO NOT use System Restore! We will drop those points when the system is clean. You log is long and it will take me a while. Just wanted to send this cation your way.
 
I'm checking the logs. Mbam is clean, SuperAntispyware shows malware in the restore points. DO NOT use System Restore! We will drop those points when the system is clean. You log is long and it will take me a while. Just wanted to send this cation your way.

No problem - I can be patient!!

Thank you so much for looking at this, it's really appreciated. I did try to use System Restore when it first happened, but it actually wouldn't let me (no valid restore periods) so I gave up on that approach.

Will await further instruction before doing anything else.

Thanks :)
 
Your Java is out of date. Pleas download the latest version which is v6u10 from here:
http://java.com/en/download/manual.jsp

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:.
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present>>> unless you specifically have Spybot set
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

This does not need to be in the Trusted Zone- even if it's your ISP.
O15 - Trusted IP range: http://62.73.186.39>>netname: SEGA-EURO-NET
descr: Sega Europe Ltd.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Start> Run> type in ''msconfig' without the quotes> Selective Start-up> Startup tab> UNCHECK everything EXCEPT the Symantec/Norton antivirus and firewall> Apply> OK.

Open Internet Options> Security tab> Trusted Zone> Sites> remove IP62.73.186.39> Apply> OK.

Control Panel> Add.Remove Programs> Uninstall all Java EXCEPT v6u10.
Uninstall ANY other programs that you do not use. If you find one you don't recognize, include it's name with the next log.

Start> Run> service.msc> right click on JavaQuickStarterService> Properties> Change Startup type to Disabled

Reboot into Normal Mode.
Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

Scan with HijackThis again and attach new log.

NOTE: If speed is an issue, you have numerous processes starting at boot that done need to. This does not mean you will be unable to use the program. These can easily be started manually when needed, instead of at boot, then running in the background. Some are:
QuickTime
Adober Reader
Nero
PhotoStudio
Kodak
Real Player
CyberLink Power
acdwemon.exe for WebCam, Scanner, or other devices.
 
Have tried to complete the below -

Java, HJT instructions, msconfig instructions, restore points
- done
Open Internet Options> Security tab> Trusted Zone> Sites> remove IP62.73.186.39> Apply> OK.
- Tried to do this - site was not in the list- in fact no sites were listed.
Control Panel> Add.Remove Programs> Uninstall all Java EXCEPT v6u10.
Uninstall ANY other programs that you do not use. If you find one you don't recognize, include it's name with the next log.
- Wouldn't let me remove any progs in safe mode - restarted in normal mode then did it.
Start> Run> service.msc> right click on JavaQuickStarterService> Properties> Change Startup type to Disabled
- Machine wont find 'service.msc'

Look forward to hearing your response.

Thanks again x
 
Good job! I need a performance assessment. How is the system running. Are previous problems resolved? IF ot, what remains? How is your speed? Better? Still a few unneeded startup to play with.

Please go to the Control Panel> Add/Remove Programs> Java>>> Verify that you now have v6u7 and that no other Java programs shows installed- the entries are just showing v6.

Let's turn off the Java auto-update:
Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> answer YES when asked if you're sure> Close.

The entry that was in the Trusted Zone doesn't appear now- good. I am extra conservative about anything being out in Trusted Zone. It is something that can backfire on a user easily.

Services can also be accessed using this path:
Control Panel> Administrative Tools> Services.

Question: Have you intentionally set Restriction:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Please check the information here about Restrictions. If you set, okay. Make sure the setting is correct. If you did not set, we need to remove the restriction, but you should check to see what the Restriction is first: http://www.pctools.com/guides/registry/detail/442/

If the performance is good and the problems are resolved
, we will remove the cleaning programs:
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the
tools it finds and then delete itself (requiring a reboot).

The Restore Points have been cleaned.

Note: It appears that you did an online scan using Housecall. This continues to run in the background unless you remove the program- you may want to do that:
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

Easiest way to do this is to download and run this file:
http://www.softpedia.com/get/Security/Secure-cleaning/Housecall-Cleaner.shtml

Let us know if you need more help. It was a pleasure helping you.
 
OK, So I've done the same again - put my comments on how I'm doing below in CAPS.

Good job! I need a performance assessment. How is the system running. Are previous problems resolved? IF ot, what remains? How is your speed? Better? Still a few unneeded startup to play with.
- Main problem is that norton is still picking up hacktool and pwdump when scanning and it cannot get rid of them - so still need som help on that front.

Trusted Zone, Java instructions - DONE
Question: Have you intentionally set Restriction:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
- I stopped it accessing the internet as i kept accidentally opening it, and it was freezing up my system!
 
Thank you Blind Dragon. That is very helpful:
cbrummell, please access this site on TechSpot: https://www.techspot.com/vb/topic34006.html

If is a well written detailed instruction for : How to remove Hacktool.Rootkit
Please follow each instruction carefully use the links that are supplied and when through, attach the appropriate logs which will include a hew HijackThis log.

We will go from there.

You may enjoy this comment on site: "As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!"
 
Machine wont find 'service.msc'
actually, its services.msc
Note to cbrummell: try not to copy and paste everything our volunteers say. just quote a few relevant sections if needed, or better still, no need to quote at all and just reply normally instead of using caps. This ensures a shorter post as well as easy reading for us to help you. =)
 
Note to cbrummell: try not to copy and paste everything our volunteers say. just quote a few relevant sections if needed


No worries - apologies, I'll try and do this going forward (see I've started already!) :)

I'll try working through the hacktool repair tonight, will let you know how I get on!
 
I've followed the steps in that other thread, but Norton is still detecting hacktool and pwdump... :(

HJT Log attached.
 
I would recommend using an anti-rootkit here as conventional tools may prove to be useless against this variant of infections (rootkits). Either Panda or Fsecure blacklight is a good choice.

Also, the log shows "Windows XP SP2". SP3 is already out, so updating is recommended.
 
Status
Not open for further replies.
Back