Browser being hijacked [Solved]
#16
Posted 19 December 2012 - 04:48 AM
#17
Posted 19 December 2012 - 04:51 AM
Lets get a deeper look into the system and see if something shows up.
Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
- Double click on OTL.exe to run it.
- Under Output, ensure that Minimal Output is selected.
- Under Extra Registry section, select Use SafeList.
- Click the Scan All Users checkbox.
- Click on Run Scan at the top left hand corner.
- When done, two Notepad files will open.
- OTL.txt <-- Will be opened and the that I need posted back here
- Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
- Please post the contents of OTL.txt in your next reply.
Gringo
#18
Posted 20 December 2012 - 07:10 AM
Thanks.
JR
Edited by jollyr, 20 December 2012 - 08:23 PM.
#19
Posted 20 December 2012 - 12:21 PM
Run this custom script and when it is complete I need to know how the computer is doing
Run OTL Script
- Double-click OTL.exe to start the program.
- Copy and Paste the following code into the textbox. Do not include the word Code
:OTL FF - user.js - File not found FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_135.dll File not found FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll File not found FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found O2:[b]64bit:[/b] - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found. O2:[b]64bit:[/b] - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found O4 - HKLM..\Run: [] File not found O4 - HKU\S-1-5-21-2183331008-2673382216-1578165354-1014..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN File not found O4 - HKU\S-1-5-21-2183331008-2673382216-1578165354-1014..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O8:[b]64bit:[/b] - Extra context menu item: Download ALL with IDA - C:\Program Files (x86)\IDA\idaieall.htm File not found O8:[b]64bit:[/b] - Extra context menu item: Download remotely with IDA - C:\Program Files (x86)\IDA\remdown.htm File not found O8:[b]64bit:[/b] - Extra context menu item: Download with IDA - C:\Program Files (x86)\IDA\idaie.htm File not found O8 - Extra context menu item: Download ALL with IDA - C:\Program Files (x86)\IDA\idaieall.htm File not found O8 - Extra context menu item: Download remotely with IDA - C:\Program Files (x86)\IDA\remdown.htm File not found O8 - Extra context menu item: Download with IDA - C:\Program Files (x86)\IDA\idaie.htm File not found O9 - Extra Button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Reg Error: Key error. File not found O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Reg Error: Key error. File not found O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. [2012/01/02 16:11:27 | 000,005,247 | ---- | M] () (No name found) -- C:\Users\BJ\AppData\Roaming\Mozilla\Firefox\Profiles\9imfz4dx.default\extensions\[email protected] :Files ipconfig /flushdns /c :Commands [PURITY] [emptyjava] [EMPTYFLASH] [reboot]
- Then click the Run Fix button at the top.
- Click .
- OTL may ask to reboot the machine. Please do so if asked.
- The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
Let me know How things are doing
Gringo
#20
Posted 20 December 2012 - 08:23 PM
#21
Posted 20 December 2012 - 08:31 PM
At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
ClearJavaCache::
Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
"information and logs"
- In your next post I need the following
- report from Combofix
- let me know of any problems you may have had
- How is the computer doing now after running the script?
Gringo
#22
Posted 21 December 2012 - 07:12 AM
Here's the log from running the combofix script:
Edit: Got redirected when submitting this post.
Edited by jollyr, 21 December 2012 - 09:14 AM.
#23
Posted 21 December 2012 - 08:52 AM
gringo
#24
Posted 21 December 2012 - 09:16 AM
JR
Edited by jollyr, 21 December 2012 - 09:17 AM.
#25
Posted 21 December 2012 - 10:02 AM
I want you to reset firefox back to defaults, to do this I need you to do this
- At the top of the Firefox window, click the "Firefox" button,
- go over to the "Help" sub-menu
- (on Windows XP, click the Help menu at the top of the Firefox window) and select "Troubleshooting Information".
- Click the "Reset Firefox" button in the upper-right corner of the Troubleshooting Information page.
- click "Reset Firefox" in the confirmation window that opens.
- Firefox will close and be reset. When it's done. Click "Finish" and Firefox will open.
restart the computer and check firefox for me now
Gringo
#26
Posted 21 December 2012 - 11:07 AM
Have question about plugins. Any concerns about those shown in the attached screen capture?
Thanks,
JR
Edited by jollyr, 21 December 2012 - 08:15 PM.
#27
Posted 21 December 2012 - 11:15 AM
- This small application you may want to keep and use once a week to keep the computer clean.
Download CCleaner from here http://www.ccleaner.com/
- Run the installer to install the application.
- When it gives you the option to install Yahoo toolbar uncheck the box next to it.
- Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
- Click Run Cleaner.
- Close CCleaner.
: Malwarebytes' Anti-Malware :
- Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
- then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Download HijackThis
If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)
- Go Here to download HijackThis Installer
- Save HijackThis Installer to your desktop.
- Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
- By default it will install to C:\Program Files\Trend Micro\HijackThis .
- Click on Install.
- It will create a HijackThis icon on the desktop.
- Once installed it will launch Hijackthis.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
- DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator
"information and logs"
- In your next post I need the following
- Log From MBAM
- report from Hijackthis
- let me know of any problems you may have had
- How is the computer doing now?
Gringo
#28
Posted 21 December 2012 - 08:14 PM
Edited by jollyr, 21 December 2012 - 09:10 PM.
#29
Posted 21 December 2012 - 08:44 PM
These logs are looking very good, we are almost done!!! Just one more scan to go.
:Remove unneeded start-up entries:
This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)
- Run HijackThis
- Click on the Scan button
- Put a check beside all of the items listed below (if present):
- O4 - HKLM\..\Run: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
- O4 - HKLM\..\Run: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
- Close all open windows and browsers/email, etc...
- Click on the "Fix Checked" button
- When completed, close the application.
NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]
NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator
Eset Online Scanner
**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin
Go Eset web page to run an online scanner from ESET.
- Turn off the real time scanner of any existing antivirus program while performing the online scan
- click on the Run ESET Online Scanner button
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the add/on to be installed
- Click Start
- Make sure that the option Remove found threats is unticked
- Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. - Click Scan
- wait for the virus definitions to be downloaded
- Wait for the scan to finish
When the scan is complete
- If no threats were found
- put a checkmark in "Uninstall application on close"
- close program
- report to me that nothing was found
- If threats were found
- click on "list of threats found"
- click on "export to text file" and save it as ESET SCAN and save to the desktop
- Click on back
- put a checkmark in "Uninstall application on close"
- click on finish
- close program
- copy and paste the report here
Gringo
#30
Posted 21 December 2012 - 09:23 PM
Edited by jollyr, 22 December 2012 - 06:39 AM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users