JeanInMontana
-
Posts
3,859 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by JeanInMontana
-
-
You didn't remove anything with MBAM. Update MBAM, do a quick scan, be sure you take action. Copy and paste that log in to your reply and a new HJT log.
-
Due to total lack of cooperation and response this thread will be closed to prevent others from posting in to it.
-
Well, AVG was making the PC at my job boot at least 3 times slower than it does now with it gone. If your drive is making noise, there is a good chance it is failing. I would get it backed up and look into getting a new one. Your logs look clean. You do have excess stuff starting that isn't needed at boot, but a noisy drive in not a good sign.
-
Probably the hosts entries are from SBS&D. Run HJT again in scan only and put a check next to the following then click fix.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blan
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.
Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.
Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.
A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.
Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.
Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.
SpywareBlaster from Javacool Software
The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free
Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature.
-
Your Adobe reader is outdated and a known compromisable version. I would like another quick scan with an updated MBAM and that log.
-
Hi Berny and welcome to Malwarebytes. I don't think there are any issues at all with Kaspersky's. You can buy right from the link in my signature.
-
It's going to keep finding them until you "take action" and remove. The log shows your not doing that.
-
Did you look in the file location? I'm real sure it ran, if you saw a DOS like box. Skip Windows Recovery Console, and run CF, if there is no file where they are saved to.
-
Follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936
-
3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.
Post that log and a HiJack log in your next reply
-
Hi Esschoir and welcome to Malwarebytes. Review this article here how to use ComboFix
Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data.
1. Download this file :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.
2. Double click combofix.exe. It will be a red icon with a white X on your desktop.
Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.
3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.
Post that log and a HiJack log in your next reply
Note:
Do not mouseclick combofix's window while its running. That may cause it to stall.
-
Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.
Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.
-
Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.
Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.
-
Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.
Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.
-
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.
-
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.
-
Get the logs posted and someone can look at them and tell you what to do next.
-
Obviously the "previous cleaning" didn't clean. Snippits of a HJT log are useless, follow the instructions in the link I posted and we will see if your clean.
-
you need to be more specific with the messages your getting. What exactly is it and how are you posting this if you can't connect?
-
Hi Monkeys and welcome to Malwarebytes. Have a look here, http://malwarebytes.org/mbam.php
-
Hi Gav and welcome to Malwarebytes. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936
-
First get that site offline, before you infect a bunch of other people. It definitely has a malicious java script injected. My Avira goes off just using vURL to dissect the site. It gives an IFrame compromise. JS/Dldr.Iframe.BY Most likely you are reinfecting yourself every time you go there. Take it down now. I can't post the entire code for the site it's too long.
Then follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936
Headers:
This link shows the site HTML dissection and the Javascript location http://vurl.mysteryfcm.co.uk/?url=http://w...&selUAStr=4
Date: Thu, 07 Aug 2008 12:49:29 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Keep-Alive: timeout=5
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Who Is:
*******************************************
WhoIs Information
*******************************************
Registration and WHOIS Service provided by directNIC.com
Intercosmos Media Group, Inc. provides the data in the directNIC.com
Registrar WHOIS database for informational purposes only. The information
may only be used to assist in obtaining information about a domain name's
registration record.
directNIC makes this information available "as is", and does not guarantee
its accuracy.
Registrant:
Team Perfecto
Starrangsringen 2
Stockholm, Stockholm Sweden
SE
736924858x46
Domain Name: GABRIO.COM
Administrative Contact:
Moazzami, Peter peter@teamperfecto.com
Starrangsringen 2
Stockholm, Stockholm Sweden
SE
736924858x46
Technical Contact:
Moazzami, Peter peter@teamperfecto.com
Starrangsringen 2
Stockholm, Stockholm Sweden
SE
736924858x46
Record last updated 04-27-2006 10:04:37 AM
Record expires on 05-19-2009
Record created on 05-19-1999
Domain servers in listed order:
NS.OXEO.COM 66.230.133.40
NS2.OXEO.COM 66.230.174.60
NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY.
LACK OF A DOMAIN RECORD DOES NOT SIGNIFY DOMAIN AVAILABILITY.
WhoIs server: whois.directnic.com
*******************************************
Net-block Information
*******************************************
OrgName: ISPrime, Inc.
OrgID: IPRM
Address: 300 Boulevard East
Address: Suite 100
City: Weehawken
StateProv: NJ
PostalCode: 07086-6702
Country: US
ReferralServer: rwhois://rwhois.isprime.net:4321/
NetRange: 76.9.0.0 - 76.9.31.255
CIDR: 76.9.0.0/19
OriginAS: AS23393
NetName: ISPRIME-ARIN-3
NetHandle: NET-76-9-0-0-1
Parent: NET-76-0-0-0-0
NetType: Direct Allocation
NameServer: NS.ISPRIME.COM
NameServer: NS2.ISPRIME.COM
Comment: Please send abuse complaints to <abuse@isprime.com>
RegDate: 2007-02-08
Updated: 2007-09-13
RAbuseHandle: ISPRI1-ARIN
RAbuseName: ISPrime Abuse
RAbusePhone: +1-212-812-9028
RAbuseEmail: abuse@isprime.com
RNOCHandle: ISPRI-ARIN
RNOCName: ISPrime NOC
RNOCPhone: +1-212-812-9028
RNOCEmail: noc@isprime.com
RTechHandle: ITS7-ARIN
RTechName: ISPrime Technical Support
RTechPhone: +1-212-812-9028
RTechEmail: support@isprime.com
OrgAbuseHandle: ISPRI1-ARIN
OrgAbuseName: ISPrime Abuse
OrgAbusePhone: +1-212-812-9028
OrgAbuseEmail: abuse@isprime.com
OrgNOCHandle: ISPRI-ARIN
OrgNOCName: ISPrime NOC
OrgNOCPhone: +1-212-812-9028
OrgNOCEmail: noc@isprime.com
OrgTechHandle: ITS7-ARIN
OrgTechName: ISPrime Technical Support
OrgTechPhone: +1-212-812-9028
OrgTechEmail: support@isprime.com
# ARIN WHOIS database, last updated 2008-08-06 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
-
the quick scan with MBAM is what is instructed and really all you need to do.
00035872 adware/popuper Adware No 0 Yes No c:\documents and settings\all users\favorites\online antivirus and spyware remover.url
00035872 adware/popuper Adware No 0 Yes No c:\documents and settings\all users\favorites\online directory of pure porn.url
As you see the two above are the root of the popups and need to be taken out of Favorites and don't go there again. Porn sites are notorious for infection and most likely the other is a rogue application.
Run HJT again and remove these lines below by placing a check next to them and then clicking fix.
O1 - Hosts: 66.180.173.39 google.ae
O1 - Hosts: 66.180.173.39 google.am
O1 - Hosts: 66.180.173.39 google.as
O1 - Hosts: 66.180.173.39 google.az
O1 - Hosts: 66.180.173.39 google.bi
O1 - Hosts: 66.180.173.39 google.cd
O1 - Hosts: 66.180.173.39 google.cg
O1 - Hosts: 66.180.173.39 google.ci
O1 - Hosts: 66.180.173.39 google.cl
O1 - Hosts: 66.180.173.39 google.co.cr
O1 - Hosts: 66.180.173.39 google.co.hu
O1 - Hosts: 66.180.173.39 google.co.in
O1 - Hosts: 66.180.173.39 google.co.je
O1 - Hosts: 66.180.173.39 google.co.jp
O1 - Hosts: 66.180.173.39 google.co.ke
O1 - Hosts: 66.180.173.39 google.co.ls
O1 - Hosts: 66.180.173.39 google.co.th
O1 - Hosts: 66.180.173.39 google.co.ug
O1 - Hosts: 66.180.173.39 google.co.uk
O1 - Hosts: 66.180.173.39 google.co.ve
O1 - Hosts: 66.180.173.39 google.dj
O1 - Hosts: 66.180.173.39 google.es
O1 - Hosts: 66.180.173.39 google.fm
O1 - Hosts: 66.180.173.39 google.gg
O1 - Hosts: 66.180.173.39 google.gl
O1 - Hosts: 66.180.173.39 google.gm
O1 - Hosts: 66.180.173.39 google.hn
O1 - Hosts: 66.180.173.39 google.kz
O1 - Hosts: 66.180.173.39 google.li
O1 - Hosts: 66.180.173.39 google.lt
O1 - Hosts: 66.180.173.39 google.lu
O1 - Hosts: 66.180.173.39 google.lv
O1 - Hosts: 66.180.173.39 google.mn
O1 - Hosts: 66.180.173.39 google.ms
O1 - Hosts: 66.180.173.39 google.mu
O1 - Hosts: 66.180.173.39 google.mw
O1 - Hosts: 66.180.173.39 google.no
O1 - Hosts: 66.180.173.39 google.off.ai
O1 - Hosts: 66.180.173.39 google.pn
O1 - Hosts: 66.180.173.39 google.pt
O1 - Hosts: 66.180.173.39 google.ro
O1 - Hosts: 66.180.173.39 google.ru
O1 - Hosts: 66.180.173.39 google.rw
O1 - Hosts: 66.180.173.39 google.se
O1 - Hosts: 66.180.173.39 google.sh
O1 - Hosts: 66.180.173.39 google.sk
O1 - Hosts: 66.180.173.39 google.sm
O1 - Hosts: 66.180.173.39 google.td
O1 - Hosts: 66.180.173.39 google.tm
O1 - Hosts: 66.180.173.39 google.tt
O1 - Hosts: 66.180.173.39 google.uz
O1 - Hosts: 66.180.173.39 google.vg
O1 - Hosts: 66.180.173.39 google.ae
O1 - Hosts: 66.180.173.39 google.am
O1 - Hosts: 66.180.173.39 google.as
O1 - Hosts: 66.180.173.39 google.az
O1 - Hosts: 66.180.173.39 google.bi
O1 - Hosts: 66.180.173.39 google.cd
O1 - Hosts: 66.180.173.39 google.cg
O1 - Hosts: 66.180.173.39 google.ci
O1 - Hosts: 66.180.173.39 google.cl
O1 - Hosts: 66.180.173.39 google.co.cr
O1 - Hosts: 66.180.173.39 google.co.hu
O1 - Hosts: 66.180.173.39 google.co.in
O1 - Hosts: 66.180.173.39 google.co.je
O1 - Hosts: 66.180.173.39 google.co.jp
O1 - Hosts: 66.180.173.39 google.co.ke
O1 - Hosts: 66.180.173.39 google.co.ls
O1 - Hosts: 66.180.173.39 google.co.th
O1 - Hosts: 66.180.173.39 google.co.ug
O1 - Hosts: 66.180.173.39 google.co.uk
O1 - Hosts: 66.180.173.39 google.co.ve
O1 - Hosts: 66.180.173.39 google.dj
O1 - Hosts: 66.180.173.39 google.es
O1 - Hosts: 66.180.173.39 google.fm
O1 - Hosts: 66.180.173.39 google.gg
O1 - Hosts: 66.180.173.39 google.gl
O1 - Hosts: 66.180.173.39 google.gm
O1 - Hosts: 66.180.173.39 google.hn
O1 - Hosts: 66.180.173.39 google.kz
O1 - Hosts: 66.180.173.39 google.li
O1 - Hosts: 66.180.173.39 google.lt
O1 - Hosts: 66.180.173.39 google.lu
O1 - Hosts: 66.180.173.39 google.lv
O1 - Hosts: 66.180.173.39 google.mn
O1 - Hosts: 66.180.173.39 google.ms
O1 - Hosts: 66.180.173.39 google.mu
O1 - Hosts: 66.180.173.39 google.mw
O1 - Hosts: 66.180.173.39 google.no
O1 - Hosts: 66.180.173.39 google.off.ai
O1 - Hosts: 66.180.173.39 google.pn
O1 - Hosts: 66.180.173.39 google.pt
O1 - Hosts: 66.180.173.39 google.ro
O1 - Hosts: 66.180.173.39 google.ru
O1 - Hosts: 66.180.173.39 google.rw
O1 - Hosts: 66.180.173.39 google.se
O1 - Hosts: 66.180.173.39 google.sh
O1 - Hosts: 66.180.173.39 google.sk
O1 - Hosts: 66.180.173.39 google.sm
O1 - Hosts: 66.180.173.39 google.td
O1 - Hosts: 66.180.173.39 google.tm
O2 - BHO: (no name) - {602DD5BD-6413-46D9-B655-937776DFEA19} - C:\WINDOWS\system32\ljJYRHBT.dll (file missing)
O2 - BHO: (no name) - {6BAF4B9A-3399-4233-A380-109DFD48E690} - C:\WINDOWS\system32\andcea.dll (file missing)
O2 - BHO: (no name) - {D8A7FBC6-AE1D-4743-9E70-21902FB19B6D} - C:\WINDOWS\system32\ljJAPIax.dll (file missing)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)
O20 - Winlogon Notify: ljJAPIax - ljJAPIax.dll (file missing)
O24 - Desktop Component 0: (no name) - http://www.focusstoc.com/forums/uploads/11..._2_2_117383.jpg
O24 - Desktop Component 1: (no name) - http://www.wolves.premiumtv.co.uk/content/...R64/367353.JPEG
Reboot. Update MBAM do a quick scan again and post that log and a new HJT log.
-
Hi chucky830 and welcome to Malwarebytes. Interesting, how did you use malware to remove malware? xp 2008? No such thing, that I'm aware of. I suggest you follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936
Did I remove Antivirus XP 2008? (hijack this file)
in Resolved Malware Removal Logs
Posted
Hi Adam Splitter and welcome to Malwarebytes. Empty the quarantine of MBAM, update it and run a quick scan. Post the MBAM log and a new HJT log please.