panthanpress
Posts: 13 +0
Here is my Hijack this log, if someone could tell me what to fix. I suspect the "myway" thing is what's hijacking me, but I wanted to be sure.
My hijack this log
- Thread starter panthanpress
- Start date
- Status
Bobbye
Posts: 16,313 +36
Please follow the steps here: Run Malwarebytes first, then Superantispyware, then rescan with HijackThis. Attach logs from all three programs.
Instructions here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
A HijackThis log alone is not sufficient for malware cleaning.
Instructions here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
A HijackThis log alone is not sufficient for malware cleaning.
panthanpress
Posts: 13 +0
my three logs
Here are the three logs. Thanks for any help, Bobbye.
Here are the three logs. Thanks for any help, Bobbye.
Bobbye
Posts: 16,313 +36
So how come you already knew you had MyWebSearch on the system? Mbam and SAS seemed to have cleaned it out, along with a few other things. That's good.
I guess you would be a music fan! ♫♪♫ You have a lot of 'stuff' running that's going to slow you down at some point. Processes that are on the Startup menu and start on boot, run in the background, which you may or may not use that session:
Examples:
Real Player updater
Java updates
QuickTime updater
Napster
iTunes
iPod
Adobe Reader
Music Match
All legitimate programs, none needed to start on boot!
But that's another story!
I see you are running Teatimer.
I suggest you disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
After all of the fixes are complete it is very important that you enable TeaTimer again.
Once TeaTimer is disabled, please run this:
Download SDFix HERE and save it to your Desktop.
Have you noticed a difference in the system since you ran Mbam and SAS?
I guess you would be a music fan! ♫♪♫ You have a lot of 'stuff' running that's going to slow you down at some point. Processes that are on the Startup menu and start on boot, run in the background, which you may or may not use that session:
Examples:
Real Player updater
Java updates
QuickTime updater
Napster
iTunes
iPod
Adobe Reader
Music Match
All legitimate programs, none needed to start on boot!
But that's another story!
I see you are running Teatimer.
I suggest you disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
After all of the fixes are complete it is very important that you enable TeaTimer again.
Once TeaTimer is disabled, please run this:
Download SDFix HERE and save it to your Desktop.
- Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Boot into Safe Mode - Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run SDFix - Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
- Attach Report.txt back here
Have you noticed a difference in the system since you ran Mbam and SAS?
panthanpress
Posts: 13 +0
My wife is the music fan. I'll get some of those programs off the startup menu. Here are the new logs. By the way, this problem began on Monday and my first thought was to do a system restore. But I found that I didn't have any system restore points available before Monday. Did whatever I picked up somehow erase them? I've restored before to earlier points.
panthanpress
Posts: 13 +0
Still hijacked on google searches
I'm still getting hijacked when I click on google searches.
I'm still getting hijacked when I click on google searches.
panthanpress
Posts: 13 +0
Did anyone get a chance to look at the two logs I posted in #5? I'm wondering what my next steps are.
Bobbye
Posts: 16,313 +36
Sorry, I didn't get to finish this last night.
Your ISP is AT&T, is that right?
Malware can get in the System Restore points, but that would have shown up probably in SAS. I will take you through a troubleshooting for that later.
Credits to kritius:
Please disable this service while we're cleaning:
Start> Run> services.msc> right click on RoxLiveShare> Properties> change Startup type to Disable> Stop the Service.
Take the following off of Startup:
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK processes for both Napster and Roxio> Apply> OK> Reboot> NOTE: Ignore the nag message that comes up and close it after checking 'don't show this message again.' Stay in Selective Startup.
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
You have a Linksys router:
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
But the Active X Object file is either not loading or missing:
This is what you have:
[/b]O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}[/b]
This is what it should be:
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
(Personal System Administrator Control)
I suggest you reconfigure the router.
I note you are using Yahoo DSL, but there are still AOL dial-up files being loaded. They should be removed.
Please disable TeaTimer as previously requested, then do a full system scan with McAfee (update before the scan) Save the log and attach it to next reply.
Listing of HP entries usually found on Startup: NONE need to start on boot and can be started manually as needed:
http://www.sysinfo.org/startuplist.php?letter=H&filter=&count=50&offset=150
(there are 2 pgs. of entries!)
HP\Digital Imaging
Smart Web Printing
hpswp_printenhancer.dll
Smart Web Printing\hpswp_BHO.dll
HP Boot Optimizer\HPBootOp.exe" /run
HP Software Update\HPWuSchd2.exe
Taskbar Utility] hpztsb08.exe
Digital Imaging\bin\hpqSRMon.exe>> Related to HP digital imaging products. Unsure as to what it does.
Digital Imaging\bin\hpqtra08.exe>> hp digital imaging monitor>> can be started manually
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\YS561401.CAB
[0] Archive type: CAB (Microsoft)
--> F345_spcplui.dll.>>>>
harrythompson.com >> ringtones, wallpapers, games, and java apps in your Sprint Nextel or Boost Mobile Iden phone.
This, like 3D cursors, wallpaper for desktop and backgrounds can be a source for malware. Considering removing it.
DAEMON Tools Virtual Drive Manager could not be opened for the scan. This is configured to be the very first driver to load when system starts; may cause instability.Consider removing.
I am not seeing the source of the redirect. I was hoping SDFix would be enough.
Please download ComboFix HERE:
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Screen shots:
http://www.geekstogo.com/forum/Otscanit-log-sent-here-other-post-t192642.html
Rescan with HJT when through and attach new log and Combofix report.
Your ISP is AT&T, is that right?
Malware can get in the System Restore points, but that would have shown up probably in SAS. I will take you through a troubleshooting for that later.
Credits to kritius:
Please disable this service while we're cleaning:
Start> Run> services.msc> right click on RoxLiveShare> Properties> change Startup type to Disable> Stop the Service.
Take the following off of Startup:
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK processes for both Napster and Roxio> Apply> OK> Reboot> NOTE: Ignore the nag message that comes up and close it after checking 'don't show this message again.' Stay in Selective Startup.
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
You have a Linksys router:
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
But the Active X Object file is either not loading or missing:
This is what you have:
[/b]O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}[/b]
This is what it should be:
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
(Personal System Administrator Control)
I suggest you reconfigure the router.
I note you are using Yahoo DSL, but there are still AOL dial-up files being loaded. They should be removed.
Please disable TeaTimer as previously requested, then do a full system scan with McAfee (update before the scan) Save the log and attach it to next reply.
Listing of HP entries usually found on Startup: NONE need to start on boot and can be started manually as needed:
http://www.sysinfo.org/startuplist.php?letter=H&filter=&count=50&offset=150
(there are 2 pgs. of entries!)
HP\Digital Imaging
Smart Web Printing
hpswp_printenhancer.dll
Smart Web Printing\hpswp_BHO.dll
HP Boot Optimizer\HPBootOp.exe" /run
HP Software Update\HPWuSchd2.exe
Taskbar Utility] hpztsb08.exe
Digital Imaging\bin\hpqSRMon.exe>> Related to HP digital imaging products. Unsure as to what it does.
Digital Imaging\bin\hpqtra08.exe>> hp digital imaging monitor>> can be started manually
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\YS561401.CAB
[0] Archive type: CAB (Microsoft)
--> F345_spcplui.dll.>>>>
harrythompson.com >> ringtones, wallpapers, games, and java apps in your Sprint Nextel or Boost Mobile Iden phone.
This, like 3D cursors, wallpaper for desktop and backgrounds can be a source for malware. Considering removing it.
DAEMON Tools Virtual Drive Manager could not be opened for the scan. This is configured to be the very first driver to load when system starts; may cause instability.Consider removing.
I am not seeing the source of the redirect. I was hoping SDFix would be enough.
Please download ComboFix HERE:
- With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
- Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
- Run Combo-Fix.exe and follow the prompts.
(Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.) - Wait for the scan to be completed.
- If it requires a reboot, please do it.
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Screen shots:
http://www.geekstogo.com/forum/Otscanit-log-sent-here-other-post-t192642.html
Rescan with HJT when through and attach new log and Combofix report.
panthanpress
Posts: 13 +0
panthanpress
Posts: 13 +0
I can't figure out how to attach the log of my McAffe scan. But it found and quarantined 19 skynet trojans in my temp directory and it asked me if I wanted to clean windows\sysem32\SKYNETkyvbxuom.dll I said yes, but I can't really tell if it did anything. I'm moving on to Combofix now.
panthanpress
Posts: 13 +0
new Combofix and Hijack logs
Combofix wouldn't let me name it Combo-Fix(.exe) so I just named it Combo-Fix. It wanted me to connect to the internet during its run, so I did, even though I had all of my McAfee stuff disabled. Here are the logs.
Combofix wouldn't let me name it Combo-Fix(.exe) so I just named it Combo-Fix. It wanted me to connect to the internet during its run, so I did, even though I had all of my McAfee stuff disabled. Here are the logs.
panthanpress
Posts: 13 +0
I can say that I don't seem to be redirected from google searches any more.
Bobbye
Posts: 16,313 +36
Combofix deleted some of those SkyNet entries also. Mske sure all the files are gone:
Right lick on start> Explore> Windows> System32> do a right click on each of the following if found> Delete:
SKYNETubtaojoy.sys>> in Drivers section, system 32
egjlm.bak2
egjlm.tmp
SKYNETdlbuamrh.dll
SKYNETixaudbut.dat
SKYNETkyvbxuom.dll
c:\windows\system32\SKYNETnlktagrp.dat
When through, empty the Recycle Bin.
Update Adobe: to most current version:
Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version : https://www.techspot.com/downloads/345-adobe-reader.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
You also need to take this entry off of Startup: reader_sl.exe
First, it doesn't need to start on boot and second, you have it on Global Startup meaning that it starts up no matter which accounts signs on.
Take off startup: O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
The Linksys 'link' was just a copy of the full entry. I didn't try the site. Sorry. Please check here and see if there is a Firmware update for your router: http://www.dslreports.com/faq/8756
I'd like to get a clean antivirus scan from you. You can try scanning again with McAfee. To save the scan: How do I save the scan results to a log file?* Click the File menu and select Save report to file. Suggest save to your desktop, name it Test log. If you cannot do this, do the following:
Please run the Esset online scanner and attach the log:
http://www.eset.com/onlinescan/cac4.php?page=faq
You might want to follow this:
It sound like you have almost gotten it all, but make sure with the AV scan. Attach AV scan and new HJThis log. If clean, I'll have you remove the cleaning tools and old restore points.
Edit: I see this in the Trusted Zone:
Trusted Zone: internet
Trusted Zone: mcafee.com
Please take BOTh out. You sure don't want the internet in the Trusted Zone and you don't need McAfee therei. This zone has lower security and allows entries with less security constraints.
Right lick on start> Explore> Windows> System32> do a right click on each of the following if found> Delete:
SKYNETubtaojoy.sys>> in Drivers section, system 32
egjlm.bak2
egjlm.tmp
SKYNETdlbuamrh.dll
SKYNETixaudbut.dat
SKYNETkyvbxuom.dll
c:\windows\system32\SKYNETnlktagrp.dat
When through, empty the Recycle Bin.
Update Adobe: to most current version:
Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version : https://www.techspot.com/downloads/345-adobe-reader.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
You also need to take this entry off of Startup: reader_sl.exe
First, it doesn't need to start on boot and second, you have it on Global Startup meaning that it starts up no matter which accounts signs on.
Take off startup: O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\
The RoxShare is still loading in the Services: It's the 5th Service from the bottom in the HJ log.
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
The Linksys 'link' was just a copy of the full entry. I didn't try the site. Sorry. Please check here and see if there is a Firmware update for your router: http://www.dslreports.com/faq/8756
I'd like to get a clean antivirus scan from you. You can try scanning again with McAfee. To save the scan: How do I save the scan results to a log file?* Click the File menu and select Save report to file. Suggest save to your desktop, name it Test log. If you cannot do this, do the following:
Please run the Esset online scanner and attach the log:
http://www.eset.com/onlinescan/cac4.php?page=faq
You might want to follow this:
It sound like you have almost gotten it all, but make sure with the AV scan. Attach AV scan and new HJThis log. If clean, I'll have you remove the cleaning tools and old restore points.
Edit: I see this in the Trusted Zone:
Trusted Zone: internet
Trusted Zone: mcafee.com
Please take BOTh out. You sure don't want the internet in the Trusted Zone and you don't need McAfee therei. This zone has lower security and allows entries with less security constraints.
panthanpress
Posts: 13 +0
scan and hijackthis
Here are my latest scan and hijackthis logs.
Here are my latest scan and hijackthis logs.
panthanpress
Posts: 13 +0
You also mentioned:
Edit: I see this in the Trusted Zone:
Trusted Zone: internet
Trusted Zone: mcafee.com
Please take BOTh out. You sure don't want the internet in the Trusted Zone and you don't need McAfee therei. This zone has lower security and allows entries with less security constraints.
How do I take these out of the Trusted Zone?
Edit: I see this in the Trusted Zone:
Trusted Zone: internet
Trusted Zone: mcafee.com
Please take BOTh out. You sure don't want the internet in the Trusted Zone and you don't need McAfee therei. This zone has lower security and allows entries with less security constraints.
How do I take these out of the Trusted Zone?
Bobbye
Posts: 16,313 +36
I'm going to fire my spell checker! It's not doing a very good job. Sorry.
To change zones:
Control Panel> Internet Options> Security tab> Trusted Zone> Sites> highlight and delete the sites from there.
Keep this feature in mind. If you ever get a site to don't want to get again, follow the above through 'Security tab'> then Restricted Zone> Sites> type the Domain here and add. An example would be doubleclick.com or .net.You would type .doubleclick.net, doubleclick.com or *.doubleclick.com.
To change zones:
Control Panel> Internet Options> Security tab> Trusted Zone> Sites> highlight and delete the sites from there.
Keep this feature in mind. If you ever get a site to don't want to get again, follow the above through 'Security tab'> then Restricted Zone> Sites> type the Domain here and add. An example would be doubleclick.com or .net.You would type .doubleclick.net, doubleclick.com or *.doubleclick.com.
panthanpress
Posts: 13 +0
So, how do my scans in #15 look?
Bobbye
Posts: 16,313 +36
Eset picked up malware
Either McAfee missed it or it's new. Either way, all the files have to be found and removed:
It appears that you downloaded software for marine (fish) screen savers. And it appears it is part of file sharing. Open My Documents (Jeff)) locate marinefree.exe and delete. Look on Add/Remove programs and uninstall if there.
Please run full system scan with McAfee. Save log and attach to next post.
Please download ComboFix HERE: This will be similar to but more in depth than SDFix.
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If McAfee or any other Domain is listed still listed in the Trusted Zone, remove them per my instructions on Post #17.
Rescan with HijackThis and include new log:
I need the following attachments on your next reply:
McAfee scan log
Combofix report
HijackThis log
Either McAfee missed it or it's new. Either way, all the files have to be found and removed:
It appears that you downloaded software for marine (fish) screen savers. And it appears it is part of file sharing. Open My Documents (Jeff)) locate marinefree.exe and delete. Look on Add/Remove programs and uninstall if there.
Please run full system scan with McAfee. Save log and attach to next post.
Please download ComboFix HERE: This will be similar to but more in depth than SDFix.
- With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
[*]Please disable all security programs, such as antiviruses, antispywares, and firewalls. This includes the McAfee firewall. You should also disable TeaTimer which was requested in Post #4. These running processes can affect the scan and it's outcome. It can also give you an error message. Also disable your internet connection.
- Run Combo-Fix.exe and follow the prompts.
(Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.) - Wait for the scan to be completed.
- If it requires a reboot, please do it.
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If McAfee or any other Domain is listed still listed in the Trusted Zone, remove them per my instructions on Post #17.
Rescan with HijackThis and include new log:
I need the following attachments on your next reply:
McAfee scan log
Combofix report
HijackThis log
panthanpress
Posts: 13 +0
latest logs
McAfee (which hides logs in a hidden folder, by the way) and combofix and hijackthis logs attached. Combofix said McAfee was running, but McAfee was telling me with big red X's and warnings that it wa disaabled.
McAfee (which hides logs in a hidden folder, by the way) and combofix and hijackthis logs attached. Combofix said McAfee was running, but McAfee was telling me with big red X's and warnings that it wa disaabled.
Bobbye
Posts: 16,313 +36
We are spinning wheels here! As long as the file sharing is going on in the background, the infections continue. Eset cleaned up one batch, McAfee finds another- or more. I'm not sure which!
McAfee is showing the DSN Changer> that is a direct effect of the file sharing and requires the router being reset. But the Roxio Shared programs are loading and running. You're getting hijacked because another user is sharing files and picking up malware!
So, please uninstall the P2P programs or I will withdraw from this thread. We continue to play the roulette- one programs finds the malware and removes it. File sharing brings more malware back. Another program is run and finds it and removes it. File sharing-and on and on!
Delete the quarantined files in McAfee AV
Run CCleaner and delete temp files and tmp files.
Empty the Recycle Bin
Uninstall Roxio Shared and we'll start all over.
McAfee is showing the DSN Changer> that is a direct effect of the file sharing and requires the router being reset. But the Roxio Shared programs are loading and running. You're getting hijacked because another user is sharing files and picking up malware!
So, please uninstall the P2P programs or I will withdraw from this thread. We continue to play the roulette- one programs finds the malware and removes it. File sharing brings more malware back. Another program is run and finds it and removes it. File sharing-and on and on!
Delete the quarantined files in McAfee AV
Run CCleaner and delete temp files and tmp files.
Empty the Recycle Bin
Uninstall Roxio Shared and we'll start all over.
- Status
Similar threads
Latest posts
-
New Affordable AMD B650 Motherboard Roundup- Steve replied
