Jump to content

1972vet

Experts
  • Content Count

    1,341
  • Joined

  • Last visited

Posts posted by 1972vet


  1. Your log shows that you took no action. Make sure you follow these scan instructions:

    Open mbam:

    On the Scanner tab, make sure the "Perform Quick Scan" option is selected. Then click on the Scan button.

    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.

    Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process.

    Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


  2. This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.


  3. 4) I have recovered the PC from dozens of virus/malware infections about 2 weeks ago.

    ...and therein I believe, is the problem. What happened two weeks ago is known only to you unless you have some documented help forum posting that you can point me to. Otherwise, I and all other expert analysts here are in the dark regarding the situation.

    The combofix log you have presented is not representative of the log that would have been produced if you had followed my instructions. The log starts as follows:

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    c:\winnt\system32\drivers\mrxdavv.sys

    c:\winnt\system32\kwave.sys

    ...and it most definately should not. Those items shown above were not included in the script I wrote for you so how they appeared in the log produced would only have happened if you edited the script that I wrote. This is not going at all like it should. I am now wondering how is it that you expect us to help you if you go on about your business ignoring what the posted instructions tell you. I hope you at least can understand that given your performance, it is impossible to proceed.

    The items in my script that should appear at the beginning of the log should look like this:

    (((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe

    along with any files that would have been inside the folders C:\Program\F-Secure Internet Security and

    C:\Program Files\F-Secure Internet Security

    ((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))

    -------\FSORSPClient

    -------\FSMA

    -------\FSDFWD

    -------\FSAUA

    -------\F-Secure Gatekeeper Handler Starter

    ...So my advice to you sir, unfortunately, would be a complete nuke and pave. With the infection that you have, and having absolutely no knowledge of what infection(s) you encountered two weeks ago, the only sure way for you to clean that system is a reformat and reinstall.

    If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read "How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?"

    Your PC has likely been compromised as a result of the rootkit infection and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that even if the rootkit can be removed the computer is now secure.

    In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:


  4. Do you find some use for nlite? It's fine if you do, it's just that the utility creates several startup entries and run once entries that are not necessary in my opinion.

    Did you install the Smart Keystroke recorder program? You should uninstall Acrobat Reader 7.0 as it is out of date and has been exploited. You can install the latest version Here.

    Run hijackthis again and check the box next to these entries:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...MetaStream3.cab

    Close all other open windows now except for hijackthis, then click the Fix Checked button.

    Reboot the system to properly record the changes made to the hard disk.

    When your system comes back up, please run a manual update to your on board antivirus application. Boot to safe mode and run a complete system scan. When that completes, allow the software to quarantine whatever it complains of. Reboot when finished, back to your normal windows user mode and post back your results along with a fresh HijackThis log. Please advise how the system behaves now and if you are having any other issues. Thanks!


  5. Nothing that really rattles my cage...you have a couple out dated pieces of software that should go. AVG7 is no longer supported. You should uninstall it and install their latest version 8. The program Acrobat Reader 6.0 is also out of date and exploited. Uninstall what you have, and install the latest version Here.

    When you finish up, just disregard the results of your msrt scan. Your first scan results would have been what I was after. Anything that was removed during the first scan of course, would not be an issue during your second scan.

    Please download Malwarebytes Anti-Malware and save it to your desktop.

    If you have problems with that link, you can also download it from Here or Here

    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
      If you encounter any problems while downloading the updates, manually download them from here
      and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.

      [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

      [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

      [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

      [*]Click OK to close the message box and continue with the removal process.

      [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

      [*]Make sure that everything is checked, and click Remove Selected.

      [*]When removal is completed, a log report will open in Notepad.

      [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

      [*]Copy and paste the contents of that report in your next reply and exit MBAM. In addition, please post a fresh HijackThis log. Thanks!

    Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process.

    Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


  6. My PC has been in Normal Mode with all services and startup programs runnng for days (ever since AdvancedSetup told me to).

    ...but that's not what I suggested. Thank you for your answer, however I would like you to do the following:

    Please click start-->run

    type:

    msconfig

    ...then click "ok". When the System Configuration Utility opens, click the "Startup" tab. Please check the box next to every item that is listed there. Reboot the system and check the box "Do not show this again" that pops up on reboot.

    Since C:\winnt\system32\drivers\mrxdavv.sys and C:\winnt\system32\kwave.sys were in CFScript.txt and ComboFix lists them as Other Deletions, doesn't that mean they were deleted? Of course, it seems they are being recreated upon startup some how.

    Here, you have answered your own question. I don't see them reappearing in the combofix log. If they were being recreated, that's where they would appear. How is it that you suggest they have reappeared? Can you show me where you believe they exist? If you are concerned that they are being recreated because when you re-run mbam, that log shows their existence, I can put your mind at ease...they are not...mbam's next build will deal with this.

    I deleted the following by hand so as to have a close look at anything that might be causing the problem. Nothing really stood out...

    In so doing, you have usurped the built-in integrity that the author of combofix spent so much of his valuable and precious time writing into that utility. Please do nothing else of this nature unless directed. If you continue to perform selective surgery on your system while requesting assistance in any of these help forums, it may be best if you did so on your own. I know of no other expert analyst who would get along well with this type scenario. I will continue to try working with you but it would be in your best interest to follow instructions explicitly while these troubleshooting efforts are underway. Thanks for understanding.

    I was not sure how to do more than delete the driver files, so for good measure I ran ComboFix with your CFScript file.

    Your statement above is a good example of what you are doing wrong while working with any of these expert volunteers...using the suggestions made in this thread as a "last" ditch effort so-to-speak. Please, once again, follow the instructions explicitly and do not pick through what is posted here for you, selecting what you want to do on your own and tossing out the rest. It is in your best interest to follow through with the posted instructions that we tailor for your system. While I can appreciate your interest in trying to learn what it is that our instructions are designed to do for your system, it is only delaying a successful outcome.

    I can appreciate your answer to my assertion that you should return to msconfig to make certain that everything that is designated to run on startup is allowed to run...but you failed to do that as evidenced by this entry in the cf log:

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

    "ICF"=2 (0x2) This one is your internet connection firewall

    "FCI"=2 (0x2)This I suspect is part of your rootkit infection "Rootkit Pandex/Cutwail - Protect.sys"...if your msconfig startup entries were to have been reset from the beginning of this thread, your run of sdfix would have been sufficient to remove this trojan as evidenced Here

    "FSORSPClient"=3 (0x3)The rest of the items listed here, are service drivers that all belong to the application F-Secure Internet Security.

    "FSMA"=2 (0x2)

    "FSDFWD"=3 (0x3)

    "FSAUA"=3 (0x3)

    "F-Secure Gatekeeper Handler Starter"=2 (0x2)

    ...those entries are representative of services that are still installed and are no doubt causing some of your incompatibility issues that result in a wrestling contest. It is important for you to follow these suggestions if your intent is to have positive results.

    As it stands, none of us here can be certain of what you have done by running combofix on your own previous to your creation of this thread as you stated in your opening line.

    That, along with your history of "selective surgery", can indeed be the early footprints of a disaster in the making. Combofix is a highly specialized tool that should not be used willy nilly. If you are not trained in it's purpose and use techniques, running the tool without supervision is done so at your own risk.

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically.

    KILLALL::

    File::

    C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe

    Folder::

    C:\Program\F-Secure Internet Security

    C:\Program Files\F-Secure Internet Security

    Driver::

    FSORSPClient

    FSMA

    FSDFWD

    FSAUA

    F-Secure Gatekeeper Handler Starter

    Reboot the computer into Safe mode.

    • Open the extracted SDFix folder and double click RunThis.bat to start the script.

    • Type Y to begin the cleanup process.

    • Any Trojan Services and Registry Entries that it finds will be removed then you will be prompted to Reboot.

    • Press any Key and it will restart the PC.

    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

    • Once the desktop icons load the SDFix report will open and a copy of the report will be saved in the SDFix folder as Report.txt

      (Report.txt will also be copied automatically to your Clipboard and ready for posting back in the forum).

    • Finally paste the contents of the Report.txt back here along with a fresh HijackThis log...please remember to post your last combofix log generated by the cfscript. Thanks!


  7. Greetings Al Stearns,

    I have been shadowing this thread at the request of my collegue and I'd like to step in to add a few things that I've noted and help where I can...

    For the past day or so I have been running in a CLEAN BOOT mode (all Startup and non-MS services disabled) so as to keep things as simple as possible and to possibly not run harmful software. I have just changed that to NORMAL.

    So far so good...but to make certain that you have everything running that is designated to run, please return to msconfig startup tab and re-check any of the boxes that you may have unchecked previously. If there is any harmful software designated to run, we want it running while these diagnostic procedures continue.

    Intertrust Technologies is considered Spyware/Adware by the Web Of Trust (just fyi...no response required).

    The file:

    c:\winnt\system32\drivers\GEARAspiWDM.sys

    ...relates to itunes and has been known to cause cdrom problems that only disappear when itunes is uninstalled.

    Please remove/uninstall any of the Sysinternal tools you may have including Process Monitor, Filemon, and Regmon. Uninstall TrendMicro Internet Security Suite as well as IncrediMail and HotBar.

    Is xlog part of your xerox scanner or do you use the open source version of the log reading admin tool?

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

    KILLALL::

    File::

    c:\documents and settings\Owner\settings.dat

    C:\ProcessMonitor.zip

    c:\winnt\system32\drivers\tmcomm.sys

    c:\winnt\system32\drivers\SymIM.sys

    c:\winnt\system32\drivers\GEARAspiWDM.sys

    c:\program files\rgzvb.txt

    c:\program files\directxwebsetup.exe

    Folder::

    c:\documents and settings\Owner\Application Data\Symantec

    C:\found.000

    c:\documents and settings\All Users\Application Data\fssg

    c:\winnt\system32\ODARMFOLZB

    c:\documents and settings\Owner\.housecall6.6

    c:\documents and settings\Administrator\Application Data\InterTrust

    c:\documents and settings\Administrator\Application Data\InterVideo

    c:\program files\IncrediMail

    c:\program files\hbinst

    Driver::

    tmcomm

    SymIM

    GEARAspiWDM

    Registry::

    [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]


  8. Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.


  9. OK Bruce...interesting findings. Originally of course, mbam found this but as stated, only after a full system scan. Now, after restoring the items, mbam finds nothing either quick scan or full scan but SAS did. Below are the logs. By the way, did you still want me to run the scan in developer mode?

    Spybot S&D:Nothing

    Comodo:Nothing

    BlackLight:Nothing

    gmer:NothingRemarkable

    ROOTREPEAL © AD, 2007-2008

    ==================================================

    Scan Time: 2009/02/05 11:12

    Program Version: Version 1.0.2.0

    Windows Version: Windows XP SP3

    ==================================================

    Drivers

    -------------------

    Name: dump_atapi.sys

    Image Path: E:\WINDOWS\System32\Drivers\dump_atapi.sys

    Address: 0xB6E01000 Size: 98304 File Visible: No

    Status: -

    Name: dump_WMILIB.SYS

    Image Path: E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

    Address: 0xBADF2000 Size: 8192 File Visible: No

    Status: -

    Name: PAGEDFRG.SYS

    Image Path: E:\WINDOWS\system32\Drivers\PAGEDFRG.SYS

    Address: 0xBAF88000 Size: 1664 File Visible: No

    Status: -

    Name: RootRepeal.sys

    Image Path: E:\WINDOWS\system32\drivers\RootRepeal.sys

    Address: 0xB59DD000 Size: 40960 File Visible: No

    Status: -

    Name: uphcleanhlp.sys

    Image Path: E:\WINDOWS\system32\Drivers\uphcleanhlp.sys

    Address: 0xB53A0000 Size: 8960 File Visible: No

    Status: -

    Antivir:E:\System Volume Information\_restore{553ECCAA-42A4-47E2-85CC-A8A376539570}\RP245\A0091853.exe

    [DETECTION] Is the TR/Trash.Gen Trojan

    [NOTE] The file was deleted!

    Since nothing was found except in system restore, I doubt this finding is valid...deleting a s/r file causes me no heartburn either.

    MBAM normal scheduled scan (Quick Scan) again this morning finds nothing during it's normal quickscan mode even after I restored these findings...however, SAS found those same entries during a quick scan this morning:

    Malwarebytes' Anti-Malware 1.33

    Database version: 1731

    Windows 5.1.2600 Service Pack 3

    2/5/2009 9:08:35 AM

    mbam-log-2009-02-05 (09-08-35).txt

    Scan type: Quick Scan

    Objects scanned: 48219

    Time elapsed: 2 minute(s), 15 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    SAS:

    Adware.MyWebSearch/FunWebProducts [2 items]

    Registry Keys:

    HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}

    HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs


  10. The entry comes from my own system...the full log here:

    Malwarebytes' Anti-Malware 1.33

    Database version: 1721

    Windows 5.1.2600 Service Pack 3

    2/3/2009 4:52:18 PM

    mbam-log-2009-02-03 (16-52-18).txt

    Scan type: Full Scan (C:\|E:\|F:\|)

    Objects scanned: 243698

    Time elapsed: 2 hour(s), 16 minute(s), 59 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 2

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    ...and was from a full system scan. The scan finds nothing from a quick scan but this full scan squawked about those reg entries and reference no files. Nothing else I have run complains of a thing either. (Antivir, AVZ, SB S&D, SAS, ComodoA/V)

    I've not run a full scan before so I couldn't tell you what application may have caused this or perhaps, which update...I just think it's a FP since I have no issues and no other app that complains.


  11. It's only been detected with the latest update. I've had this file for quite some time now:

    2/4/09

    Files Infected:

    E:\Program Files\QuickTime Alternative\QuickTimePlayer.exe (Adware.SearchIt99) -> No action taken.

    2/3/09

    These reg entries too please:

    Registry Values Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.


  12. When HJT runs a scan, I get a popup warning that it is denied permission to write to the host file(s). Is this significant?

    Yes, and it relates to one of your security applications not having been disabled. While you run these suggested fix instructions, your system set up will wrestle with any removal attempt unless you can disable these...

    Let's use the big gun now:

    Please download combofix from This Webpage...and read through the instructions there for running the tool.

    ***Important Note***

    Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

    If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

    The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

    Once installed, a blue screen prompt should appear that reads as follows:

    The Recovery Console was successfully installed.

    When you see that screen, please continue as follows:

    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please post back the following on your next reply:

    C:\ComboFix.txt

    New HijackThis log.


  13. OK, let's try to get rid of the trojans, then we can take a deeper look at things:

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and the files will be extracted to %systemdrive%

    (Drive that contains the Windows Directory, typically C:\SDFix)

    Reboot the computer into Safe mode.

    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • Any Trojan Services and Registry Entries that it finds will be removed then you will be prompted to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open and a copy of the report will be saved in the SDFix folder as Report.txt
      (Report.txt will also be copied automatically to your Clipboard and ready for posting back in the forum).
    • Finally paste the contents of the Report.txt back here along with a fresh HijackThis log.

  14. Before we attempt to use a bigger gun, let's try to reset the router:

    1. Unplug or turn off your DSL/cable modem.

    2. Locate the router's reset button.

    3. Press, and hold, the Reset button down for 30 seconds.

    4. Wait for your Power, WLAN and Internet light to turn on. (On the router)

    5. Plug in or turn on your modem.(if it is separate from the router)

    6. Open your web browser to see if you have an internet connection. If you still don't have an internet connection you may need to restart your computer.

    Having reset the router, a default password will never do...please create a strong password now in order to strengthen security of your wireless connection. Once this is completed, please run another quick scan using mbam and post back THAT log. Thanks!


  15. The Melbourne reference is an error on my part...it came from the HijackThis log entry here:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 79.99.43.128:3128

    ...the IP address there is indeed for a server located in Great Britton but the local mail address is referencing Melbourne Derbyshire GB. This was my mistake at a first glance I took Melbourne and ran with that. Sorry. If you know this server is ok then it's fine to leave it...but if not, you should add that HijackThis log entry as one to remove with the others.


  16. Pest Patrol by itself is fine although the active guard process is one which may conflict with any removal effort so it should be disabled during the cleanup.

    Adding Ingersoll Rand Co to your hosts file is fine since you know the particular IP is for your employer...it's just not really necessary since your browser will look up the url when entered and convert it to the proper IP for it's target.

    Entering the IP into the hosts file is just a safe bet that you will connect...however, if entered wrong, it can redirect your browser to the IP that was entered incorrectly.

    The IP of 127.0.0.1 is the universal name for your own computer...everyone's computer is named by default with the same IP so that it can be used for safety reasons to prevent your browser from connecting to web sites that are not considered safe. On the other hand, it can be used by ill intentioned users to redirect your connection attempt.

    For example:

    if I enter in my host file:

    127.0.0.1 www.malwarebytes.com

    and you try to go to www.malwarebytes.com, it will check the hosts file, see the entry and convert that to the IP address of 127.0.0.1 instead of its correct address. In that example, the browser would not connect to the web site "MalwareBytes".

    Host file redirection is when a hijacker changes your hosts file to redirect your attempts to reach a certain web site to another site. So if someone added an entry like:

    127.0.0.1 www.google.com

    and you tried to go to www.google.com, you would instead get redirected to 127.0.0.1 which is your own computer.

    Lastly, the O16 entry you reference is fine since you know it's purpose. The web did not return much "English" information about it's cabinet file. Keeping it does no harm...removing it does no harm either as you would just download the active X for that web site the next time you visited. Hope this helps.


  17. I see several problems with the entries produced in those logs. First I'd like to mention that the service you have running for AT&T which appears in your HijackThis log here:

    O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\IRCOIN~1\NetCfgSv.EXE

    ...may be at least in part, responsible for some of the entries that appear in the mbam log and the resulting return with each reboot. Pest Patrol, quite an old piece of software by the way, is also likely to interfere.

    In addition to this, your Spybot Search and Destroy's Tea Timer function is actually a registry protection feature that will wrestle with any of your security application's removal efforts. You should remember to disable these security software protection features before running your scanning software...and in particular, you need to disable them if we want to succeed with our fix instructions below.

    To disable Tea Timer, please do this:

    1) Run Spybot-S&D

    2) Go to the Mode menu, and make sure "Advanced Mode" is selected

    3) On the left hand side, choose Tools -> Resident

    4) Uncheck "Resident TeaTimer" and OK any prompts

    5) Restart your computer.

    Please remember to re-enable these once we are certain your system has been cleared up of these present issues you are experiencing.

    Viewpoint Service is Foistware. You probably did not intend to download this program...more than likely it was forced upon you, bundled with some other download. To remove it, click start-->control panel-->add/remove programs.

    Scroll down the list to locate the program name, click on it to highlight it, then click Remove. Reboot the computer when the uninstallation completes.

    You have a proxy server setup to connect through a server located in Melbourne Austrailia...is this correct? Do you have a particular reason why you added the "Ingersoll Rand Company" to your hosts file?

    You can run HijackThis again and check the box next to these entries:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    The "O6" entry below is normally seen when the user has employed the protective "Administrative Locking Features" available from Spybot Search and Destroy (and some other applications)...if you know with certainty that you do NOT use this feature, then place a check next to this one too:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    As with these entries from I.B.M., you can place anything you want into your trusted zone but in so doing, it is equal to leaving the keys to your front door in the lock as you go away on vacation. If you agree that is a bad idea, then place a check next to these "O15" entries as well:

    O15 - Trusted Zone: c42sjcuxs01.corio.com

    O15 - Trusted Zone: c42sjcuxs07.corio.com

    O15 - Trusted Zone: c48temuxs23.corio.com

    O15 - Trusted Zone: c4ksjduxs01.corio.com

    O15 - Trusted Zone: c4ksjduxs02.corio.com

    O15 - Trusted Zone: *.corio.com

    O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.0)) - http://216.115.165.51/ltocx12n.cab

    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -

    O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) -

    O16 - DPF: {F694EA1F-2EC1-445D-8988-1862AD0CC4C8} (pvvercheck_ie Control) - https://windchill.ingersollrand.com/Windchi...vercheck_ie.cab

    O23 - Service: ZJKXKHSPBKP - Unknown owner - D:\TEMP\ZJKXKHSPBKP.exe (file missing)

    Please close all other windows you have open now (including this browser window)...leaving only the HijackThis application's window open, check the Fix Checked button.

    Reboot the computer.

    When the system comes back up, please open a command prompt...click start-->run

    ...then, type CMD in the run box and click "OK". When the command prompt window opens, copy and paste the following, then press your enter key:

    sc delete ZJKXKHSPBKP

    You should receive a "Successful" message returned. Please reboot again to properly record these changes made to your hard disk. Please run a manual update to your on board mbam and perform another quick scan. Please post back that log along with a fresh HijackThis log and advise how the system is behaving and remember to answer these:

    "You have a proxy server setup to connect through a server located in Melbourne Australia...is this correct? Do you have a particular reason why you added the "Ingersoll Rand Company" to your hosts file?"

    Are you having any other issues? Thanks!

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.