Possible Hijack

[tqh]

Well I was wondering if it was okay what I did to get rid of the java deployment toolkit entry in mozilla (see personal message I sent before you reopened this topic).  This is what I wrote last:

 

Well I looked online for some possible solutions and found one that involved deleting the .dll file associated with the entry.  I followed this link:

 

http://forums.mozill...?f=38&t=2632007

 

Some other sites suggested renaming it but I just deleted it.  It is still in my recycle bin if I need to restore it.  What do you think?  Sorry for not replying sooner, but I don't use this computer on a regular basis.

 

Thanks again!

 

You mentioned there was one more thing we could do in the personal message before this one.  Is what I did the thing you were going to suggest.  Sorry for all of the confusion.

 

Thanks

[AdvancedSetup]

Removing the Java by deleting is fine.  Let me have you run the following.

 

Please download Security Check from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

 

[tqh]

Here is the log.  Thanks again.

 

 Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Adobe Flash Player     11.8.800.94  
 Adobe Reader XI  
 Mozilla Firefox (23.0.1)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

[AdvancedSetup]

That log looks good.

 

Please download the following program and run it to help remove any left over elements of Java
JavaRa-1.16-28-5-13.zip

Unzip the files to a new folder and then run the progam and have it scan for and remove Java.

Post back the log when done

[tqh]

Here is the JavaRa log.  FYI I did not search for updates.  I just ran the program after unzipping.  Hope that was the right move.  Thanks again.

 

 

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Sep 02 17:35:04 2013

Found and removed: C:\Documents and Settings\poi\Application Data\Sun\Java\jre1.6.0_26

Found and removed: C:\Documents and Settings\poi\Application Data\Sun\Java\jre1.6.0_27

Found and removed: C:\Documents and Settings\poi\Application Data\Sun\Java\jre1.6.0_29

Found and removed: SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}

Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/java-deployment-toolkit

Found and removed: SOFTWARE\Microsoft\Internet Explorer\Low Rights

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Found and removed: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs

Found and removed: SOFTWARE\JavaSoft

Found and removed: SOFTWARE\JreMetrics

Found and removed: SOFTWARE\MozillaPlugins

------------------------------------

Finished reporting.
 

[AdvancedSetup]

Great that looks good. Please run MBAM and check for update and run a Quick Scan and post back that log.

Then run a new DDS scan and post back those logs.

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment.

• When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
• You can ignore the note about zipping the Attach.txt file.

[tqh]

Here are the new logs...

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.02.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
poi :: FLOYD [administrator]

9/2/2013 6:55:33 PM
mbam-log-2013-09-02 (18-55-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 306070
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

dds.txt

attach.txt

[AdvancedSetup]

You may have corrupted files on your disk.  Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

 

[tqh]

Okay.  I ran the above command.  Nothing happened other than the restart.  What should I be looking for?

[AdvancedSetup]

It should have run a Disk Check for at least 20 minutes in a Blue or Gray screen. 

 

Did that appear to run on reboot?  If not please shut down the computer and unplug it for 2 minutes.

Then plug it back in and start it up again and see if the Disk Check runs this time.

[tqh]

I just ran it again and it worked.  Is there a log associated with it? 

[AdvancedSetup]

If you run EVENTVWR.EXE it will open the Event Logs. Then in the Application section you should find an entry for Winlogon

Look for the most recent event from the 'winlogon' source and double click it to open the log.

You can then click on the little book looking icon and it will copy the Event and you can paste that back here on your next reply.

[tqh]

Based on the date/time I believe this is the first one after you instructed me to run the check disc.  I put the most recent one below it.

 

Thanks.

 

 

Event Type:    Information
Event Source:    Winlogon
Event Category:    None
Event ID:    1001
Date:        9/3/2013
Time:        3:18:11 PM
User:        N/A
Computer:    FLOYD
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         
Cleaning up minor inconsistencies on the drive.
Cleaning up 192 unused index entries from index $SII of file 0x9.
Cleaning up 192 unused index entries from index $SDH of file 0x9.
Cleaning up 192 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

 117218240 KB total disk space.
  51132436 KB in 62594 files.
     26776 KB in 9952 indexes.
         0 KB in bad sectors.
    161068 KB in use by the system.
     65536 KB occupied by the log file.
  65897960 KB available on disk.

      4096 bytes in each allocation unit.
  29304560 total allocation units on disk.
  16474490 allocation units available on disk.

Internal Info:
d0 36 01 00 6e 1b 01 00 17 7d 01 00 00 00 00 00  .6..n....}......
3d 1e 00 00 02 00 00 00 90 0a 00 00 00 00 00 00  =...............
30 ce e2 05 00 00 00 00 3c f0 b5 4a 00 00 00 00  0.......<..J....
16 95 66 20 00 00 00 00 ba 92 84 16 04 00 00 00  ..f ............
70 9a d1 c5 03 00 00 00 b6 74 04 55 08 00 00 00  p........t.U....
40 57 ef a0 00 00 00 00 88 38 07 00 82 f4 00 00  @W.......8......
00 00 00 00 00 50 e0 30 0c 00 00 00 e0 26 00 00  .....P.0.....&..

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 

 

Here is the one I ran yesterday:

 

Event Type:    Information
Event Source:    Winlogon
Event Category:    None
Event ID:    1001
Date:        9/5/2013
Time:        11:20:52 PM
User:        N/A
Computer:    FLOYD
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         
Cleaning up minor inconsistencies on the drive.
Cleaning up 2 unused index entries from index $SII of file 0x9.
Cleaning up 2 unused index entries from index $SDH of file 0x9.
Cleaning up 2 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

 117218240 KB total disk space.
  51602752 KB in 62943 files.
     26732 KB in 9257 indexes.
         0 KB in bad sectors.
    161580 KB in use by the system.
     65536 KB occupied by the log file.
  65427176 KB available on disk.

      4096 bytes in each allocation unit.
  29304560 total allocation units on disk.
  16356794 allocation units available on disk.

Internal Info:
d0 36 01 00 14 1a 01 00 48 7c 01 00 00 00 00 00  .6......H|......
3d 1e 00 00 02 00 00 00 d3 09 00 00 00 00 00 00  =...............
d6 6b e0 05 00 00 00 00 90 ad af 49 00 00 00 00  .k.........I....
1e bd 02 1d 00 00 00 00 86 26 04 23 04 00 00 00  .........&.#....
d6 38 be c0 03 00 00 00 ac 15 10 58 08 00 00 00  .8.........X....
50 7e ef a0 00 00 00 00 88 38 07 00 df f5 00 00  P~.......8......
00 00 00 00 00 00 95 4d 0c 00 00 00 29 24 00 00  .......M....)$..

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 

[AdvancedSetup]

Thanks - basically it did not find much wrong which is a bit unexpected.

Let's run this again now.

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here: C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

[tqh]

Here is the log file.  I have my hidden folders set "not to show".  Should I have changed that?

 

Thanks again!

log.txt

[AdvancedSetup]

That log looks pretty good.

 

So how is the computer running now?

 

What other issues or concerns do you still have left?

 

Thanks

[tqh]

Computer is running fine.  There was just the initial concern that happened; it was really odd.  Anything else you can think of?

[AdvancedSetup]

No not really.  Everything seems okay now.
 
At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
It will also reset your System Restore by flushing out previous restore points and create a new restore point.
It will also remove all the backups our tools may have created.

Uninstall ComboFix (if used):

• Turn off all active protection software including your antivirus.
• Push the "Windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• Please copy and past the following into the box ComboFix /Uninstall and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.

Remove the rest of the tools used:

Please download OTCleanIt and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not go ahead and delete it by yourself.
• If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

AdwCleaner Removal:

• Double click on AdwCleaner.exe to run the tool.
• Click on Uninstall
• Confirm with Yes

ESET antivirus Removal:

• This tool can be uninstalled via the Control Panel, Programs, Uninstall

If there are any other left over Folders, Files, Logs then you can delete them on your own.

Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

• How Malware Spreads - How did I get infected
• Best Practices for Safe Computing - Prevention of Malware Infection
• Avoiding those unwanted free applications
• A close look at how Oracle installs deceptive software with Java updates
• IAC / Ask.com toolbars
• Malwarebytes Unpacked Blog

If you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

[tqh]

Okay.  I think everything worked well.  Thanks so much for your help!  Have a good weekend.

[AdvancedSetup]

You're quite welcome.  You have a good weekend too

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!