Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

pain in the behind with computer

  • 27-09-2008 12:01am
    #1
    Will
    Closed Accounts Posts: 19,183 ✭✭✭✭


    Family alerted me to an issue earlier today when I got home from work, IT work >_>

    anyway before I go on a rant, when they do searches on google and you click a link, they get hijacked and you get sent to some advertising site.

    Ran McAfee normally, nothing showed up
    Booted into safe mode and ran McAfee again, nothing showed up.

    When logged into safe mode it said none of the safe gaurds i.e virus scan, firewall etc were running. Tried to rectify it but it wouldn't let me due to some 'unknown error'

    Had a peak in the processes menu and there are a few .exe's there which im very suspicious about.

    To be honest I don't wanna go fiddling with the registry to remove the rogue program.

    I don't use the computer myself so dunno how it got infected, i have it auto updating and never had a major problem until now.

    Any suggestions on what to do next?

    Cheers,

    Will


Comments

  • #2
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Read the Sticky thread and do the steps there

    Then do this

    CLICK HERE to download the HijackThis Installer:
    1. Save HJTInstall.exe to your desktop.
    2. Double-click on HJTInstall.exe to run the program.
    3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    4. Accept the license agreement by clicking the "I Accept" button.
    5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    6. Click "Save log" to save the log file and then the log will open in Notepad.
    7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
    8. Come back here to this thread and paste the log in your next reply.
    9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


  • #3
    Will
    Closed Accounts Posts: 19,183 ✭✭✭✭Will


    Cheers, been a long week then having to do more computery stuff at home wasn't a good mix.

    Will get on this tomorrow and post up a log file. Thanks :D


  • #4
    Will
    Closed Accounts Posts: 19,183 ✭✭✭✭Will


    Log file, got rid of mcafee and am running malware bytes now, head is melted

    Log file;

    Running processes
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
    * C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
    * C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
    * C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
    * C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)
    * C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
    * C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
    * C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe (Hewlett-Packard Company)
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
    * C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
    * C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
    * C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
    * C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
    * C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe (Sun Microsystems, Inc.)
    * C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)
    * C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
    * C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
    * C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    * C:\PROGRA~1\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    * C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
    * C:\Program Files\Mcafee\MWL\MwlSvc.exe (McAfee, Inc.)
    * C:\Program Files\Mcafee\MWL\MWLGui.exe (McAfee, Inc.)
    * C:\WINDOWS\System32\PAStiSvc.exe
    C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe (McAfee, Inc.)
    * C:\Documents and Settings\Will\Local Settings\Temp\wz938b\RunScanner.exe (Runscanner.net)
    * C:\WINDOWS\system32\services.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
    * C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
    * C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
    * c:\windows\System32\smss.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
    * C:\WINDOWS\system32\msiexec.exe (Microsoft Corporation)
    * C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe (Microsoft Corporation)

    Unrated items
    002 * C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
    002 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
    002 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
    002 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
    002 * C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
    002 * C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    002 * C:\Program Files\Mcafee\MWL\MWLGui.exe (McAfee, Inc.)
    002 C:\Program Files\QuickTime Alternative\QTTask.exe (Apple Inc.)
    003 C:\Program Files\Google\Google Talk\googletalk.exe (Google)
    003 * C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
    003 C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe (McAfee, Inc.)
    003 * C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
    005 C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
    010 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Mobile Device)
    010 C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service)
    010 C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe (Imapi Helper)
    010 C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (InstallDriver Table Manager)
    010 * C:\Program Files\Kontiki\KService.exe (KService)
    010 * C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (McAfee Services)
    010 * C:\Program Files\Mcafee\MWL\MwlSvc.exe (McAfee Wireless Network Security Service)
    010 C:\Program Files\Windows Media Connect 2\wmccds.exe (Windows Media Connect Service)
    011 * C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEARAspiWDM)
    011 * C:\WINDOWS\system32\DRIVERS\lmimirr.sys (lmimirr)
    011 * C:\Program Files\LogMeIn\x86\RaInfo.sys (LogMeIn Kernel Information Provider)
    011 * C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn Remote File System Driver)
    011 C:\WINDOWS\System32\Drivers\PxHelp20.sys (PxHelp20)
    031 C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
    031 C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
    031 C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}
    031 C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation) {E1D2BF40-A96B-11d1-9C6B-0000F875AC61}
    031 * C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}
    052 GUID / CLSID not found {7E853D72-626A-48EC-A868-BA8D5E23E045}
    061 C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
    061 C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) {087B3AE3-E237-4467-B8DB-5A38AB959AC9}
    061 C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) {63542C48-9552-494A-84F7-73AA6A7C99C1}
    061 C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) {3B092F0C-7696-40E3-A80F-68D74DA84210}
    061 C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll (Alex Feinman) {34F4B935-17DC-4885-8BC9-CCD1ADF42F93}
    061 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
    061 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79305-84BE-11CE-9641-444553540000}
    061 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79306-84BE-11CE-9641-444553540000}
    061 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79307-84BE-11CE-9641-444553540000}
    062 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
    062 C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
    067 * C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
    069 * C:\WINDOWS\system32\LMIport.dll (LogMeIn, Inc.)
    100 Start Page HKCU : www.google.ie
    104 * C:\WINDOWS\Downloaded Program Files\msgrchkr.dll (Microsoft Corporation) {00B71CFB-6864-4346-A978-C0A14556272C}
    104 C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll (Microsoft Corporation) {14B87622-7E19-4EA8-93B3-97215F77A6BC}
    104 * C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll (Microsoft Corporation) {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
    104 C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx (Microsoft Corporation) {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
    104 C:\WINDOWS\Downloaded Program Files\Zintro.ocx (Microsoft Corporation) {B8BE5E93-A60C-4D26-A2DC-220313175592}
    104 C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
    105 &Windows Live Search : res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    105 Add to Windows &Live Favorites : http://favorites.live.com/quickadd.aspx
    105 Open in new background tab : res://C:\Program Files\Windows Live Toolbar\Components\en-ie\msntabres.dll.mui/229?f3d4d5d08adf45f39686414d02318a70
    105 Open in new foreground tab : res://C:\Program Files\Windows Live Toolbar\Components\en-ie\msntabres.dll.mui/230?f3d4d5d08adf45f39686414d02318a70
    107 C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    170 {151a6cc3-2784-11db-a2a8-0011115d17d7} : E:\LaunchU3.exe
    170 E : E:\LaunchU3.exe
    172 * C:\WINDOWS\system32\LMIRfsClientNP.dll (LogMeIn, Inc.)
    173 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
    221 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
    225 C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll (Alex Feinman) {34F4B935-17DC-4885-8BC9-CCD1ADF42F93}
    225 C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll (Alex Feinman) {34F4B935-17DC-4885-8BC9-CCD1ADF42F93}
    225 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
    225 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
    227 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
    231 C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll (Sun Microsystems, Inc.) OpenOffice.org Column Handler
    231 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.) PDF Column Info

    Missing files
    002 C:\Program Files\McAfee\MBK\LogOnHook.exe
    002 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
    002 C:\Program Files\McAfee.com\Agent\mcwelcom.exe
    002 C:\PROGRA~1\McAfee\MHN\McENUI.exe
    002 nbnlmumtiz.exe
    003 C:\Program Files\MSN Messenger\MsnMsgr.Exe
    010 C:\Program Files\McAfee\MBK\MBackMonitor.exe
    010 c:\program files\common files\mcafee\mna\mcnasvc.exe
    010 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    010 C:\Program Files\McAfee\VirusScan\McShield.exe
    010 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
    011 C:\WINDOWS\system32\drivers\abp480n5.sys
    011 C:\WINDOWS\system32\drivers\adpu160m.sys
    011 C:\WINDOWS\system32\drivers\Aha154x.sys
    011 C:\WINDOWS\system32\drivers\aic78u2.sys
    011 C:\WINDOWS\system32\drivers\aic78xx.sys
    011 C:\WINDOWS\system32\drivers\AliIde.sys
    011 C:\WINDOWS\system32\drivers\amsint.sys
    011 C:\WINDOWS\system32\drivers\asc.sys
    011 C:\WINDOWS\system32\drivers\asc3350p.sys
    011 C:\WINDOWS\system32\drivers\asc3550.sys
    011 C:\WINDOWS\system32\drivers\Atdisk.sys
    011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
    011 C:\WINDOWS\system32\drivers\Changer.sys
    011 C:\WINDOWS\system32\drivers\CmdIde.sys
    011 C:\WINDOWS\system32\drivers\Cpqarray.sys
    011 C:\WINDOWS\system32\drivers\dac2w2k.sys
    011 C:\WINDOWS\system32\drivers\dac960nt.sys
    011 C:\WINDOWS\system32\drivers\dpti2o.sys
    011 C:\WINDOWS\system32\drivers\hpn.sys
    011 C:\WINDOWS\system32\drivers\i2omgmt.sys
    011 C:\WINDOWS\system32\drivers\i2omp.sys
    011 C:\WINDOWS\system32\drivers\ini910u.sys
    011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
    011 C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys
    011 C:\WINDOWS\system32\drivers\mraid35x.sys
    011 C:\WINDOWS\system32\drivers\PCIDump.sys
    011 C:\WINDOWS\system32\drivers\PDCOMP.sys
    011 C:\WINDOWS\system32\drivers\PDFRAME.sys
    011 C:\WINDOWS\system32\drivers\PDRELI.sys
    011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
    011 C:\WINDOWS\system32\drivers\perc2.sys
    011 C:\WINDOWS\system32\drivers\perc2hib.sys
    011 C:\WINDOWS\system32\drivers\ql1080.sys
    011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
    011 C:\WINDOWS\system32\drivers\ql12160.sys
    011 C:\WINDOWS\system32\drivers\ql1240.sys
    011 C:\WINDOWS\system32\drivers\ql1280.sys
    011 C:\WINDOWS\system32\drivers\Simbad.sys
    011 C:\WINDOWS\system32\drivers\Sparrow.sys
    011 C:\WINDOWS\system32\drivers\sym_hi.sys
    011 C:\WINDOWS\system32\drivers\sym_u3.sys
    011 C:\WINDOWS\system32\drivers\symc810.sys
    011 C:\WINDOWS\system32\drivers\symc8xx.sys
    011 C:\WINDOWS\system32\drivers\TosIde.sys
    011 C:\WINDOWS\system32\drivers\ultra.sys
    011 C:\WINDOWS\system32\drivers\ViaIde.sys
    011 C:\WINDOWS\system32\drivers\WDICA.sys
    031 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    041 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    042 C:\Documents and Settings\Meabh\Start Menu\Programs\IMVU\Run IMVU.lnk
    052 c:\PROGRA~1\mcafee\msk\mcapbho.dll
    052 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    052 C:\Program Files\McAfee\VirusScan\scriptsn.dll
    061 deskpan.dll
    173 c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll
    221 c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll
    225 c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll
    225 c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll


  • #5
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Can you attach the .run file and post the HijackThis log please, easier for me


  • #6
    Will
    Closed Accounts Posts: 19,183 ✭✭✭✭Will


    malwarebytes found a few rogue things, deleted em and all is well.
    Cheers guys, been a great help :D

    hopefully family will learn from this... but i doubt it :D


  • Advertisement
Advertisement