PDA

View Full Version : It's hijacked



HotShotAB
13-07-2009, 04:11 PM
Hi guys, need some help. My moms computer is really, really messed up. I downloaded malwarebytes , but it will not install. Won't open a lot of programs. So, I downloaded hijack this to give it a shot, but it won't install either. I'm guessing something in the registry is jacked, but I don't know how to get it to install either of these programs to show you guys.

Any ideas?

Speedy Gonzales
13-07-2009, 04:15 PM
Rename the hijackthis install file, then install it, then run it. If its connected to the net post the log here after. If it wont open a browser (if its XP boot into safe mode / networking), then try it again

HotShotAB
13-07-2009, 04:36 PM
dang, you really are speedy.. thank you.

I tried what you said, but when I try to install hijack this under a different name it just pops up a shortcut icon on the desktop under hijack this no matter what I name it. Then, if I try to run that icon, nothing happens.

I'm in safe mode also.

Same thing with malwarebytes.

Speedy Gonzales
13-07-2009, 04:40 PM
Ok. If its got XP on it, disable system restore first (my computer on the desktop / properties / system restore tab). Press ctrl-alt-del does the task manager open?. Go to start/run type regedit. Does regedit open?? These are usually affected (they wont open) if youre infected with something pretty nasty.

HotShotAB
13-07-2009, 04:49 PM
Yes, it does have XP.

regedit and cntrl + Alt + Del both pop up. I am in safe mode though.

If I go to my computer/ properties, I don't have a system restore tab. There is no my computer icon on the desktop. I went to start/my computer/etc...

wainuitech
13-07-2009, 04:49 PM
Download Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) or Direct link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe). you may need to run this in safe mode if the system is that badly infected.

Note: when it runs, sometimes it appears to be doing nothing, when in fact it is working - be patient and let it do its job

IF its really bad, make sure you have all your data backed up - badly infected PC's are sometimes unable to be fixed completely, and a reinstall is sometimes needed.

"Sometimes" when removing infections the PC wont boot after they have gone due to the damage caused.

HotShotAB
13-07-2009, 05:38 PM
Ok. If its got XP on it, disable system restore first (my computer on the desktop / properties / system restore tab). Press ctrl-alt-del does the task manager open?. Go to start/run type regedit. Does regedit open?? These are usually affected (they wont open) if youre infected with something pretty nasty.

I found the system restore button and turned it off... I'm an idiot, sorry.



Download Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) or Direct link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe). you may need to run this in safe mode if the system is that badly infected.

Note: when it runs, sometimes it appears to be doing nothing, when in fact it is working - be patient and let it do its job

IF its really bad, make sure you have all your data backed up - badly infected PC's are sometimes unable to be fixed completely, and a reinstall is sometimes needed.

"Sometimes" when removing infections the PC wont boot after they have gone due to the damage caused.

I downloaded Combofix and tried to run in safe mode... wouldn't do anything. I'm going to try it in regular windows now... see what happens.

Speedy Gonzales
13-07-2009, 05:42 PM
Hmm i could try getting into your system (while youre in safe mode / networking). Is ccleaner (www.ccleaner.com) installed?? Or / and teamviewer ? (www.teamviewer.com)

If it is, I could log in and see whats running on startup..

pctek
13-07-2009, 05:57 PM
Hook the drive up to another PC. Scan with everything that way.
Put it back in her PC and now install everything and scan again. (In safe mode)
Usually works.

HotShotAB
13-07-2009, 06:17 PM
Hmm i could try getting into your system (while youre in safe mode / networking). Is ccleaner (www.ccleaner.com) installed?? Or / and teamviewer ? (www.teamviewer.com)

If it is, I could log in and see whats running on startup..

ccleaner is installed and I ran it just awhile ago.


Hook the drive up to another PC. Scan with everything that way.
Put it back in her PC and now install everything and scan again. (In safe mode)
Usually works.

You are way overestimating my skills.. haha. Thank you for the comments though.

----------------------------------------------------------------------

It will not open up just about any program that I try. It won't open up spybot, combofix, hijack, malwarebytes.... none of those. It will download them to the desktop, but when I go to install them, nada!

gary67
13-07-2009, 06:18 PM
Where are you? In NZ somewhere?

HotShotAB
13-07-2009, 06:19 PM
California

ubergeek85
13-07-2009, 06:20 PM
It seems to me that it would be easier to back up her data, then begin from scratch.

Speedy Gonzales
13-07-2009, 06:20 PM
Whats in tools/startup tho?? Its whats in startup thats probably stuffing things up. If you can run this go to uninstall / save to text file post whats in here as well. Nothing wrong with connecting the hdd to another system and scanning it. if theres malware on it it'll remove it

Blam
13-07-2009, 06:22 PM
Is malware is preventing you from opening these programs then you will have to open task manager and kill the processes manually then scan with MBAM when it can open...

HotShotAB
13-07-2009, 06:25 PM
Whats in tools/startup tho?? Its whats in startup thats probably stuffing things up. If you can run this go to uninstall / save to text file post whats in here as well

Clarify for me, dude. I have no idea what you just said. uninstall?

I know how to uninstall things from the add/remover programs...

HotShotAB
13-07-2009, 06:27 PM
Is malware is preventing you from opening these programs then you will have to open task manager and kill the processes manually then scan with MBAM when it can open...


kill all of the processes or are there certain ones that I should look for?

ubergeek85
13-07-2009, 06:30 PM
Clarify for me, dude. I have no idea what you just said. uninstall?

I know how to uninstall things from the add/remover programs...

Start->Run->msconfig->startup should tell you almost everything that is starting up, unless core exe's have been 'patched' to start the malware processes.

HotShotAB
13-07-2009, 06:36 PM
Start->Run->msconfig->startup should tell you almost everything that is starting up, unless core exe's have been 'patched' to start the malware processes.

Cool, got it. How do I save/post a text log of that though? There are a few "unkowns" in there.

Blam
13-07-2009, 06:48 PM
Just maximise the window, do a print screen, paste in paint and upload here then give us the link:
http://imagef1.net.nz/?page=basic

Blam

Speedy Gonzales
13-07-2009, 07:01 PM
Tools /uninstall / save to text file in ccleaner will let you save whats in add/remove programs. Copy and paste whats in it, in here. So we can see whats in it. Malware may have installed on your system as well, and its entry will be here

Do the same for tools / startup in ccleaner, maxmise it press prtscrn then paste it in some paint / gfx program. Then save it / upload it to the link blam gave

HotShotAB
13-07-2009, 07:06 PM
It doesn't give the the option to maximize the screen. I tried Cntrl + C to try and just copy and paste the highlighted words, but that didn't work either.

HotShotAB
13-07-2009, 07:07 PM
Tools /uninstall / save to text file in ccleaner will let you save whats in add/remove programs. Copy and paste whats in it, in here. So we can see whats in it. Malware may have installed on your system as well, and its entry will be here

Do the same for tools / startup in ccleaner, maxmise it press prtscrn then paste it in some paint / gfx program. Then save it / upload it to the link blam gave


Gotcha... sorry, I didn't see this until after I posted. BRB

HotShotAB
13-07-2009, 07:11 PM
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Banctec Service Agreement
Browser Mouse
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell System Restore
Dial 4.0
Digital Line Detect
eAcceleration
HP Deskjet 5700 Series
HP Photo & Imaging 3.1
HP Software Update
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office XP Web Components
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Modem Helper
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
NetWaiting
NetZeroInstallers
PowerDVD 5.3
QuickTime
RealArcade
RealPlayer Basic
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Viewpoint Media Player
Wal-Mart Music Downloads Store
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Toolbar
Windows XP Service Pack 3

HotShotAB
13-07-2009, 07:15 PM
http://www.imagef1.net.nz/files/ccleanerlog.JPG

This is the link to the picture.

Speedy Gonzales
13-07-2009, 07:22 PM
Delete the antivirus pro 2009 entry. Antivirus pro 2009 is rogue software (the messages its showing are FAKE). You can delete the teatimer entry, the Sun java update (uninstall all versions of Java its out of date then update it), the HP Software update entry, the Quicktime entry, the ISUSPM entry, and the DXDllRegExe entry. Then reboot

Did you scan with malwarebytes, it should have picked up Antivirus pro and removed it. If you didnt update it then scan. The entries in add/remove look ok. But I would update Java (after you uninstall it). And update adobe reader / or use an alternative. And update firefox its now up to 3.5

feersumendjinn
13-07-2009, 07:25 PM
This is one of your problems
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2009

HotShotAB
13-07-2009, 07:28 PM
Delete the antivirus pro 2009 entry. Antivirus pro 2009 is rogue software (the messages its showing are FAKE). You can delete the teatimer entry, the Sun java update (uninstall all versions of Java its out of date then update it), the HP Software update entry, the Quicktime entry, the ISUSPM entry, and the DXDllRegExe entry. Then reboot

Did you scan with malwarebytes, it should have picked up Antivirus pro and removed it. If you didnt update it then scan. The entries in add/remove look ok. But I would update Java (after you uninstall it). And update adobe reader / or use an alternative. And update firefox its now up to 3.5

I knew about the antivirus crap, that was my moms doing when she was trying to fix it herself. Anyway, when I try to find it now, I can't. I know it shows on the log, but I don't see it on the uninstall screen... let me look again before I stick my foot in my mouth any further.

Speedy Gonzales
13-07-2009, 07:34 PM
Delete its entry in startup and the other entries first then reboot. Then update malwarebytes and scan

wainuitech
13-07-2009, 07:53 PM
AV pro 2009 can be a real bugger to remove - Malwarebytes will get most of it, but not all (usually) you may have to manually check and remove any left overs.

Once Malwarebytes has done its scan, run Spybot S&D, as well as super antispyware, you'll be surprised how many infections the whole lot combined remove ( Software Links from my sig) then have a look at This thread (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2009) Scroll down the bottom, and check each one has been deleted - if they have not then it will reinfect.

NOTE: ALWAYS do full scans - not quick scans.

HotShotAB
13-07-2009, 07:56 PM
Speedy.. Did what you told me. The AV09 stuff is still popping up. I uninstalled and reinstalled malwarbytes. Still will not install on the computer. I cannot scan it yet. I'll attach a new log so you can see.

HotShotAB
13-07-2009, 07:57 PM
AV pro 2009 can be a real bugger to remove - Malwarebytes will get most of it, but not all (usually) you may have to manually check and remove any left overs.

Once Malwarebytes has done its scan, run Spybot S&D, as well as super antispyware, you'll be surprised how many infections the whole lot combined remove ( Software Links from my sig) then have a look at This thread (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2009) Scroll down the bottom, and check each one has been deleted - if they have not then it will reinfect.

NOTE: ALWAYS do full scans - not quick scans.


If I could just get malwarebytes to run...

HotShotAB
13-07-2009, 08:00 PM
http://www.imagef1.net.nz/files/updatedlog.JPG

updated log... see if I missed anything.

Speedy Gonzales
13-07-2009, 08:01 PM
Get teamviewer if you want and I'll check it out from here. So how did you uninstall it if it didnt install? Or since it was installed, why did you uninstall it (malwarebytes)? Since it was in add/remove programs. The startup entries look ok now

HotShotAB
13-07-2009, 08:07 PM
Sorry, meant to say that it would install, but it will not run. Just sits idle after clicking on run. I also had to rename to get it to install. I'm dl'ing teamviewer right now

Speedy Gonzales
13-07-2009, 08:09 PM
Send me a pm with the ID and password, after you install it and run it. Better not put it in this post.

Speedy Gonzales
13-07-2009, 08:33 PM
Send me another PM Hotshot. Looks like trojan remover picked up a rootkit. UACD.sys. Whatever it was it was hiding. It also had this (http://www.sophos.com/security/analyses/viruses-and-spyware/trojdorfbv.html) It probably rebooted, as it d/c me

Speedy Gonzales
13-07-2009, 09:02 PM
Right think I fixed it bloody trojan and rootkit ! That bloody Mcenspc.dll, and brastk.exe file. Soon find out

HotShotAB
13-07-2009, 09:29 PM
Alright... you got it to where I could run malwarebytes. It caught 46 more infected objects. I'm going to run it again now and see if it catches anymore. I just wanted to give you and update. I'll post the malwarebytes log if there aren't anymore infections.

I can already tell that it's about 4 million times better though. Thank you, Speedy!

Speedy Gonzales
13-07-2009, 09:31 PM
No worries, good to hear :) At least Malwarebytes is running ! I would install something like Avast Home (free) or NOD32, if you want to pay for something. And sure windows is up to date with updates. It probably didn't affect trojan remover, because that changes filenames. So nothing (hopefully) can stop it

HotShotAB
13-07-2009, 09:42 PM
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/13/2009 1:38:48 AM
mbam-log-2009-07-13 (01-38-48).txt

Scan type: Quick Scan
Objects scanned: 90693
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Speedy Gonzales
13-07-2009, 09:44 PM
Looks good / clean to me :thumbs: Nothing is infected, according to that log

wainuitech
13-07-2009, 09:55 PM
Do A FULL SCAN - not quick - the quick scan rarely catches every thing.

As mentioned before don't rely completely on just malwarebytes - many times I have removed infections with that, only to find if you run Spybot & Super antispyware in FULL scan modes they find others.

HotShotAB
13-07-2009, 10:05 PM
Do A FULL SCAN - not quick - the quick scan rarely catches every thing.

As mentioned before don't rely completely on just malwarebytes - many times I have removed infections with that, only to find if you run Spybot & Super antispyware in FULL scan modes they find others.

will do, tomorrow.

I just ran hijack and this is the log for that. I'm going to bed now, I'll check everything in the morning. Thanks everybody for the F1.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:28 AM, on 7/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [DellSupport-] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214191987484
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7391 bytes

Speedy Gonzales
13-07-2009, 10:27 PM
You can tick these then tick fix checked. Close browsers

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Uninstall Java then update it, I would also update IE, if this is the only browser you use. And update windows

Uninstall weatherbug, and tick this entry

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

HotShotAB
14-07-2009, 04:18 AM
Updated hijack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:51 AM, on 7/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [DellSupport-] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214191987484
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 6658 bytes

HotShotAB
14-07-2009, 06:52 AM
OK, I just ran a full scan on Spybot and it found a ton of stuff.

Is it ok to just click "Fix Problems" after everything is checked?

gary67
14-07-2009, 07:38 AM
It should be

wainuitech
14-07-2009, 08:57 AM
It should be
Ditto -- Generally speaking it's fine - Never had any problem with removing items spybot discovered.

if you want to make sure its all gone, run both Super Antispy & Spyware terminator as well -- they may or may not find others.

No One Anti-malware program get s everything.

Hint: Always run fullscans on the software if there is that option.

Speedy Gonzales
14-07-2009, 09:31 AM
And if you do online banking or similar online. Now is a good idea to change all of your passwords

HotShotAB
14-07-2009, 09:42 AM
Thanks guys for all the help.

I just downloaded avast and it brought this computer to a screeching halt. So, I uninstalled it and it seems to be better. It's still kind of glitchy, but its usable. The computer is about 5 years old, but I can't imagine the memory or diskspace being so full that it doesn't run smoothly. Especially with the little amount of data that my mom has on here.

Speedy Gonzales
14-07-2009, 09:52 AM
What did Avast do?? Did it crash?

HotShotAB
14-07-2009, 09:55 AM
No it didn't crash, but it slowed the computer down so much that it made it unusable. I could click on the start button and about 3 minutes later, it would start loading that folder. Now that I uninstalled it, it's working like it was last night (for me).

wainuitech
14-07-2009, 10:15 AM
try the nod32 Trial (http://www.eset.com/download/free_trial_download_int.php) ESET NOD32 Antivirus 4

See if that works, its not a free Antivirus (the trial is for 30 days)