Logs - please help

[MLacey8804]

I know for definite that I have Infostealer, but I'm quite certain there are other problems. Please help me resolve these issues.

Thanks, Mike.

 

[Bobbye]

Gosh I hate it when people just throw logs at us and don't give us a clue about what is happening on their system! Don't they realize that information helps us help them?!

Okay, now that I'm done with the rant:
1. Mbam removed numerous infections. You need to review that log and see where some of them came from.
2. SpperAntispyware shows you (all) with more Tracking Cookies than I can count. Basically, every site you've visited must have left a Tracking Cookie-each time! In addition, they are for dad, guest, matty, richard, shexual_fairy and sio-ban! ALL of you need to get control of the Cookies you allow!!
First, have SuperAntispyware remove ALL of the Cookies showing on ALL of the accounts.
Second, ALL of you need to change your Cookie settings to the following:
Open IE> Tools> Internet Options> Privacy tab> Advanced button> CHECK 'allow first party Cookies'> CHECK BLOCK third party Cookies> CHECK 'allow persession Cookies'? OK> Apply> OK

ALL of you need to review the listing in the program to see where you are getting more of the Cookies. These are what I call dirty sites! They're full of trash and they're going to put it on the system if you (ALL) don't protect yourselves!

You are using both the file sharing programs Bit Comment and BearShare, you're streaming with WMP, CyberLink Power DVD and Dell Media. None of this is without penalty. As long as you continue this, your system will be a sitting duck for malware. And it's a wonder you move at all with all this running- that's what I meant about telling us the problems.

Please handle this. I'll return later with the removals for HiajckThis.

 

[MLacey8804]

Thanks for the help. This is not my computer, I'm (well, you are lol) doing this as a favour, so I apologise about the lack of info. I will do all as you have suggested and come back once I have. Thanks again.

 

[Bobbye]

I was coming back to ask if there was a slow startup, shutdown or surfing, but I guess you won't know that. I have almost finished with the HijackThis log and will reply with it a little later. It's kind of useless to clean it out though because they're using BitComet, and Bearshare which are file sharing sites and it appears they are having streaming media and downloading beginning at startup.

(edit)
It's difficult to sift through all the processes without knowing what problems are being experienced.
Please re-open HiJackThis and scan.*Check the boxes next to all the entries listed below:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O4 - Global Startup: VTAgentReboot.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdnsg.exe] C:\WINDOWS\system32\kdnsg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe> uodate
O8 - Extra context menu item: &Search - ?p=ZNxmk571YYGB
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

The following are for Symantec, but there is no Symantec security program running. If a Symantec/Norton program was previously on the system, these processes should be stopped and the program uninstalled:

O16 - DPF: {6A344D34-5231-452A-8A57-D064A9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab> Download Manager for Symantec products.
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot into Safe Mode:
Start> Run> type in ;msconfig' without quotes> enter> Selective Startup> Startup tab> UNCHECK the following:

Any Adobe processes
Any entries for BitComet and Bearshare
VRAgentReboot
Symantec or Norton

When finished> Apply> OK
Go to the Control Panel> Add/Remove Programs and uninstall the following:

Adobe
BitComet
Bearshare
Symantec
VTAgent(Reboot)

Go to the Start> Run> type in services.msc> find each of the following Services> right click> Properties> change startp type to Disabled:

Symantec Lic Net
Symantec Core LC

Right click on Start> Explore> Windows> System 32> delete the following if present:

kdnsg.exe

Reboot into Normal Mode> close the nag message that comes up after checking 'don't show this message again'. Stay in Selective Startup.

A NOTE: With so many different people using this system, with the file sharing programs BitComet and BearShare, with the large amount of streaming media and recording, it will be difficult to keep this system clean.

The malware cleaning tools can be removed with this:
OTCleanit! by Oldtimer
Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) Click the CleanUp! button.
It will go through the list and remove all of the tools it finds and then delete itself (requiring a reboot).

System Restore points should be dropped:
Control Panel> System> System Restore tab> CHECK 'turn off system Restore'> Apply> OK> Reboot.
Now go back in and UNCHECK 'turn off System Restore'> Apply> OK.
Create a new, clean restore point.

Download and Save to the desktop, the FoxIt Reader for PDF files. The Adobe Reader was out of date and comes with a lot of bloat. This will do the same thing without the extras:
http://www.foxitsoftware.com/pdf/rd_intro.php
Click on the 'Get it Free' button. Save to the desktop- run the setup from there to install.

 

[MLacey8804]

Thanks for all that mate. I'm round there after I finish work at 7, I'll try it all then and let you know how I got on. Also, have tried deleting BitComet, but a .dll file in the "tools" folder will not let me remove it the little b*gger! I've tried to delete an awful lot of crap off their computer, but a lot of it does not appear on the add/remove programs list.

Anyway, thanks very much for the help, I'll report back ASAP.

 

[kimsland]

Symantec (Norton) removal tool: https://www.techspot.com/vb/post586483-2.html

I strongly suggest that you run

 

[Bobbye]

Sorry, I left BitComet off the 'remove from startup section.' Please follow:

Start> Run> type in 'msconfig' without quotes> enter> Selective Startup> Startup tab> UNCHECK BitComet> Apply> OK> Reboot> Close the nag message after checking 'don't sow this message again'. Stay in Selective Startup.

Now try the removals.

 

[MLacey8804]

Thanks for all that help. Attached is an updated HJT log. Seems to be running better. Can you tell me is it safe though? Has Infostealer.Gampass been removed? Still quite apprehensive about entering any login details anywhere!

Thanks, Mike.

 

[Bobbye]

The log looks much better. Hopefully you followed through on the instructions. The following needs to be removed, then uninstall. It is not secure. Update to v9 or better, get FoxIt instead:

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

This infection steals passwords . I would suggest you change all passwords using a Non-infected computer (Not this one) and refrain from any credit card or financial dealings until clean.

Mbam cleaned up the infections- users accounts were 'Richard' and Shexual Fairy'. Did Mbam include the accounts of the other users 'siob-han, 'dad' , matty and the various 'guests'? It is strange to see the large amount of Tracking Cookies for ALL the users, but not see anything in Mbam>

Good that BitComet and Bearshare are gone. Hopefully they'll stay off!

 

[MLacey8804]

Bobbye, thanks for all the help mate, sorry about long wait for reply.
Updated log attached, seems to be running a lot better. Any more problems that you can spot or do you think it's now safe to use the web again?!

Thanks again, Mike.

 

[Bobbye]

Your log is clean. I see you removed the Adobe reader, but I don't see FoxIt. You will need something to read the PDF files:
Click on the 'Get It Free button: http://www.foxitsoftware.com/pdf/rd_intro.php

If I didn't take you through resetting the Cookies, here it is:
Internet Options (from Tools or Control Panel)> Privacy tab> Advanced button> CHECK 'override automatic Cookies handling'> CHECK 'allow first party Cookies'> CHECK 'Block third party Cookies> CHECK 'allow per session Cookies'> Apply> OK.

Stay safe and stay clean! You did a good job.

 

[MLacey8804]

Foxit's been installed, so not quite sure why it's not showing, but it's working fine thanks. I've basically deleted all the other accounts now just to be safe! Cookie settings have been applied, all is well.

Thanks for everything! Mike.

 

[Bobbye]

You're welcome Mike.