Is my system clean?

[Zalemam]

Hey I hope you guys can help me with this problem,
I'm having a problem where I cant login to gmail, facebook, hotmail, yahoo or anything like that. After hours of searching the internet I think that I have some type of virus in my PC and Im not sure what it is. Its really frustrating if anyone can help me it would be much appreciated.

I have uploaded my hijack this log if it helps...

Thank You
Zaid Alemam

I forgot to add this piece of information.
I had the Zlob trojan on my pc and I got rid of it yesterday, after I got rid of the virus I was not able to log into gmail or hotmail, facebook etc... basically anything that needed an email and password.

attached SAS

 

[Zalemam]

no help????

 

[Bobbye]

You left out one of the most important malware cleaning programs> Malwarebytes. We need that to remove more of what SAS found.

Please follow the Steps here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

You have a great many Tracking Cookies.: Have SAS remove them.
Reset Cookies:

Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy section> Cookies> CHECK 'accept Cookies'> UNCHECK 'accept third party Cookies.
Get the Firefox ad-on AdBlock Plus : https://addons.mozilla.org/en-US/firefox/addon/1865
and the 3 easy List filters: http://easylist.adblockplus.org/
(I recommend getting all three lists)

Please advise: have you set an Internet Explorer homepage as a blank page?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

If not, thing in another indication of malware- another reason for Mbam.

Please reopen HijackThis and CHECK the boxes by the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: habtip Toolbar - {57c5b186-d1d3-47fb-969e-a8b745aecd21} - C:\Program Files\habtip\tbhabt.dll
R3 - URLSearchHook: (no name) - {80773a71-f58a-40b9-8478-31084fcea622} - (no file)
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
2 - BHO: habtip Toolbar - {57c5b186-d1d3-47fb-969e-a8b745aecd21} - C:\Program Files\habtip\tbhabt.dll
O3 - Toolbar: habtip Toolbar - {57c5b186-d1d3-47fb-969e-a8b745aecd21} - C:\Program Files\habtip\tbhabt.dll
O3 - Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKfox000
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: Explorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O22 - SharedTaskScheduler: heterotroph - {de5ede53-9db0-422d-b32d-5c41c96d6f52} - C:\Windows\system32\iklqcx.dll (file missing)
(Zlob Trojan that installs VirusProtectPro 3.7 and shows fake security alerts from your Windows taskbar.)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.

You must also decide whether you want to run the Kaspersky Internet Security or Symantec processes . You should not have both. IF you are through with Symantec, the Services need to be disabled and the Norton Removal Tool applied.a Service loading for Symantec:
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PRO[/QUOTE]GRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

And please be patient. There are way more people with infected systems than there are volunteer helpers. We do the best we can.I will go through all three logs when you have finished. We will have additional changes to make.

 

[Zalemam]

Ok thank you I will get started on it tommorow and post up new logs. I appreciate your help

 

[Zalemam]

You left out one of the most important malware cleaning programs> Malwarebytes. We need that to remove more of what SAS found.

Downloaded and Installed, ran full scan

Reset Cookies and installed adblocking to fire fox

Please advise: have you set an Internet Explorer homepage as a blank page?
Quote:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

If not, thing in another indication of malware- another reason for Mbam.

I have not set it to blank page my IE doesn't work...

Please reopen HijackThis and CHECK the boxes by the following:

Checked and fixed...log has been attached.

You must also decide whether you want to run the Kaspersky Internet Security or Symantec processes

Uninstalled Symantec.

Scanned with Malwarebytes-Log Attached
Scanned with SAS-Log Attached
Scanned with Highjack This-Log Attached

I think my pc is clean now...Facebook, Gmail, Hotmail Etc... all working now.

 

[kimsland]

-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated (third tab)
Then do the above quoted message, but this time "Remove all found issues"

 

[Zalemam]

It wouldn't let me update anything because it was blocked off from the internet once it cleaned a couple of things i was able to update it. I will post a new log tomorrow.

 

[Zalemam]

how does it look now??

 

[kimsland]

Better this time :grinthumb
Actually if you update it, and run it again, it will find the ones that were hidden too
I'd do it

 

[Zalemam]

I was able to update it scanning right now

 

[Bobbye]

When Mbam is finished, scan with SuperAntispyware and HijackThis again- attach all three logs.

You have way too many Services starting automatically. I have made a list form the first HijackThis logs and will go over them after seeing the new logs.

You have multiple malware infections. We need to make sure we're finding and removing them all.

 

[Zalemam]

Ok i updated Mbam and SAS.
Ran full scans with both programs.
Finally ran Highjack this.
And the results.....

 

[kimsland]

Other than stacks of startups (I have one, you have 27 startups, and this is not including startup services!)

There is no Malware as such

You may want to have a look at Startup Control Panel to remove some of those unnecessary startups
Or re-open HJT and tick any 04 entry that you just don't want starting with your computer, then remove them, or un-install the application (ie Ad-aware; Daemon tools etc etc)

It's also very difficult to read logs like these too, the log is just too big.

 

[Bobbye]

Okay, let's get the Cookies under control:
Have SAS remove the Tracking Cookies: Click on lower left image here to see what to check:
http://superantispyware.en.softonic.com/images

Reset Cookies in Firefox:

Open Firefox> Tools> Options> Privacy Section> CHECK 'allow Cookies'> UNCHECK 'allow third party Cookies.'> Click on Exceptions and type in the each of the following, then BLOCK:
ad.yieldmanager
msnportal.112.2o7

Please get the following add-ons for Firefox:
AdBlock Plus: [/QUOTE]
Easy List: http://easylist.adblockplus.org/ (get all three)

Easy List is a filter that works with ADP. It will block the tracking Cookies.

You should also check in IE: Tools> Internet Options> Security tab> Trusted zone> Sites> remove either of the following from the Sites in the Trusted Zone:
ad.yieldmanager
msnportal.112.2o7

Now go the Restricted Sites> Sites and type each of these in and Add:
ad.yieldmanager
msnportal.112.2o7

Regarding your Startups: The ONLY processes that need to start on boot are the antivirus, firewall and touchpad if on laptop. All else, including printer, can be started manually when needed. I only have 3> the AV, touchpad and network process.

You also have way too many Services set to Automatic. Only a few need this setting. Most can be set to Manual to only start when needed and some can be disabled. Use the following site for reference and see if you can stop some of them from starting on boot. When you work on the services, it's best done in Safe Mode. ALWAYS check the Dependency tab for any other Services that may need to be running:

http://www.blackviper.com/WinVista/servicecfg.htm

Regarding Startups and services set to Automatic: the reason we suggest minimizing these is because the fewer connections you have to the internet, the safer you are. When programs startup and check for updates, they connect every time.

I'm not real pleased with the Mbam log as it shows you picked up new and different malware on the second run. While it was removed, it means you still have a security problem.

 

[Blind Dragon]

First of all, nicely done Bobbye.

Just a note on MBAM detections: those may have been picked up if they updated the definitions prior to the latest scan.

Also, before stating the OP is clean how about looking a little deeper in the registry or at least doing an online scan

 

[Zalemam]

I got the Addblock plus and im gonna run another scan in a moment

Regarding your Startups: The ONLY processes that need to start on boot are the antivirus, firewall and touchpad if on laptop. All else, including printer, can be started manually when needed. I only have 3> the AV, touchpad and network process.

Thats the problem i don't know what i should disable and what I should keep running.

 

[kimsland]

This will do for a start!

O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-3524033387-2750201414-96141558-1002\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun (User '?')
O4 - HKUS\S-1-5-21-3524033387-2750201414-96141558-1002\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-3524033387-2750201414-96141558-1002\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User '?')
O4 - HKUS\S-1-5-21-3524033387-2750201414-96141558-1002\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-3524033387-2750201414-96141558-1002\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User '?')
O4 - HKUS\S-1-5-21-3524033387-2750201414-96141558-1002\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3524033387-2750201414-96141558-1002\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-3524033387-2750201414-96141558-1002\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

 

[Zalemam]

Scanned again with sas

 

[Blind Dragon]

alright, you are running in circles

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[Bobbye]

Thank you Blind Dragon and Kimsland for your assistance.

Zalemam, when you have finished with Combo Fix, since you have Kaspersky, let's do an online scan using BitDefender. Please download from here> http://www.bitdefender.com/scan8/ie.html
Save> then run the scan. Let us know the results.

When you have finished running the additional programs and want to pare down the startup:
The ONLY process that needs to be checked is for Kaspersky:
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

And this Service needs to stay on Automatic:
O23 - Service: Kaspersky Internet Security (avp) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

ALL of the following 023 Services showing can be reset to Manual: Boot into Safe Mode:
Start> Run> Services.msc> right click on each of the following> Properties> Change Startup to Manual:

*Adobe LM Service -
*Intel(R) Alert Service (AlertService)
*Apple Mobile DeviceService
*Bonjour Service - mDNSResponder.exe
*Capture Device Service -((InterVideoDeviceService or DevSvc.exe
*DQLWinService -
*FLEXnet Licensing Service -( FNPLicensingService.exe)
*Google Updater Service (gusvc) -
*Intel(R) Matrix Storage Event Monitor (IAANTMON)
*InstallDriver Table Manager (IDriverT)
*Intel DH Service (IntelDHSvcConf)
*iPod Service -
*Intel(R) Software Services Manager (ISSM) -
*LightScribeService Direct Disc Labeling Service (LightScribeService) (-LSSrvc.exe)
*lxcg_device (Lexmark Printer) lxcgcoms.exe
*Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner -
*Intel(R) Application Tracker (MCLServiceATL) -
*Intel(R) Remoting Service (Remote UI Service) -
*stllssvr - (SureThing Shared)

A NOTE on changing Service Startup types: ALWAYS check the Dependency tab. This is why it's best to make changes in Safe Mode. Some Services need other Services running to start- that's what the Dependency tab is for. Take your time, be sure any Dependent Services are set to at least Manual for Services that are set to Automatic. When you change too Manual, the Dependent Services can also beset to Manual.

Another NOTE: Changing a Service Startup type to Manual means it will start when needed, rather than at boot (if not needed). Services set to Automatic will start on boot and run in the background. One of your Services, stllssvr - (SureThing Shared), for instance is for CD labeling.You don't need that running in the background- only when you want to make the label.

I am uncertain about the following Services. There is a down-loadable program called Browser defender that uses the Firebird Guardian database and server. Whether these Services need to automatically start on boot is uncertain:

Description:
Browser Defender: http://www.browserdefender.com/file/879497/site/spacialaudio.com/
Browser Defender™ Website Safety Lookup: Web sites are tested for what we believe are excessive pop-ups, "phishing" and other fraudulent practices, and browser exploits. Downloads are tested for viruses and bundled adware, spyware or other possibly unwanted programs.
These are the 2 Services:
FirebirdGuardianDefaultInstance- (fbguard.exe)
FirebirdServerDefaultInstance- ( -fbserver.exe(

Hopefully I haven't thrown too much at you at one time! So many people don't realize that virtually everything puts itself on startup automatically and that most Services come set to Automatic. But both areas can be customized to save startup time, increase surf time and shorten shutdown time. I usually have some very happy campers once these areas have been handled.