PDA

View Full Version : i know i have malware but...



deathracer
26-12-2008, 02:00 PM
my main computer has been infected with something, everytime i open my internet browser or even connect my pc to the internet, my browser starts to go into anti virus sites and i get stuff popping up asking me to install stuff.
i have an old nod32 on it wich picked and deleted stuff but im still getting my browser redirected and now it starts redidercting my harddriver so it will say something like http//E. and it shows my directory.

stormdragon
26-12-2008, 02:15 PM
Download malwarebytes (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button), update and run full scan.
Download Hijack This from my signature and post the log file here.

deathracer
26-12-2008, 03:07 PM
thanks, i will run these. im using my spare computer. im just concerned someone might be hacking into my pc using and or copying my files.

Speedy Gonzales
26-12-2008, 03:16 PM
Well if its on now and connected to the net, it probably is.

Disable system restore on it, reboot, then scan it with malwarebytes, / trojan remover, then post a HJT log

deathracer
26-12-2008, 06:37 PM
still getting pop ups, my brother set the programs to work offline how do i set it back, cause i cant update the programs now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:50 PM, on 12/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\WINDOWS\ehome\ehtray.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\FileZilla Server\FileZilla Server.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\Eset\nod32krn.exe
E:\Program Files\Pure Networks\Network Magic\nmapp.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Eset\nod32kui.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\Microsoft ActiveSync\wcescomm.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\DAEMON Tools Lite\daemon.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\PROGRA~1\MICROS~2\rapimgr.exe
E:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\MySpace\IM\MySpaceIM.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\eHome\ehmsas.exe
E:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
E:\Program Files\MySpace\IM\MySpaceIM.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] E:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Redemption] "\redemption.exe" /STARTUP
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] E:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IpPVR] D:\\IpPVR.exe
O4 - HKLM\..\Run: [nmapp] "E:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TrojanScanner] E:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [LightScribe Control Panel] E:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: bolcgb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - E:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - E:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - E:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9647 bytes

Speedy Gonzales
26-12-2008, 06:56 PM
Uninstall all versions of Java then update it

Disable system restore, if you havent yet. Tick these then tick fix checked

Close browsers

O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

Whats this belong to??

O4 - HKLM\..\Run: [Redemption] "\redemption.exe" /STARTUP

I have no idea what this is or what it belongs to

O4 - HKLM\..\Run: [IpPVR] D:\\IpPVR.exe

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [LightScribe Control Panel] E:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKLM\..\Run: [TrojanScanner] E:\Program Files\Trojan Remover\Trjscan.exe /boot

If you dont use Nero Home, tick this

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"


This looks suss

O20 - AppInit_DLLs: bolcgb.dll

Then reboot

Set what to work offline?? IE you mean?? Open IE / file / untick work offline

Most programs dont have to be online to work, if nothing updates, he's probably pulled the ethernet connection on it. Or disabled the NIC

deathracer
26-12-2008, 07:37 PM
thanks for the replies, and advice everything seems normal.
the redemption.exe belongs to my external hdd and
the ipPVR.exe is for my fta box.

Speedy Gonzales
26-12-2008, 07:43 PM
If system restore is still disabled find bolcgb.dll and delete it.

If you think its better than before, enable system restore

deathracer
26-12-2008, 07:53 PM
thanks its definately better. i also want to thank my neighbors for throwing out there old compaq so i can fix it up and use it when stuff like this happens. to think all this happened cause i didnt check if my antivirus was even turned on and letting a bunch of little kids use my computer.

Speedy Gonzales
26-12-2008, 07:56 PM
lol no probs. Good to hear its running better :)

deathracer
26-12-2008, 08:26 PM
i do have one problem, my java wont install. i downloaded it from the internet and i double click to install but it just stays the same nothing downloads and when i click cancel it just freezes on me.

Speedy Gonzales
26-12-2008, 08:31 PM
Did you get the 32 bit version? jre-6u11-windows-i586-p ?

deathracer
26-12-2008, 08:41 PM
i got xpiinstall-6u11-fcs-bin-b90-windows-i586-25_nov_2008.exe, didn't see any options on the site.

Speedy Gonzales
26-12-2008, 08:48 PM
Get this (http://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/VerifyItem-Start/jre-6u11-windows-i586-p.exe?BundledLineItemUUID=2O5IBe.m6zYAAAEe5SRSRHJ6&OrderID=E.hIBe.mS.sAAAEe1SRSRHJ6&ProductID=0TVIBe.o9RsAAAEdDu5Gb7FN&FileName=/jre-6u11-windows-i586-p.exe)

Its the full install. I have no idea what the file is you downloaded

deathracer
26-12-2008, 09:00 PM
thank you, worked perfectly. i was dying trying to torrent an anime file with 30kbs download speed:lol:.

Speedy Gonzales
26-12-2008, 09:18 PM
lol cool it worked

apsattv
26-12-2008, 10:18 PM
one more thing update to IE7

deathracer
27-12-2008, 05:23 PM
one more thing update to IE7

i dont even use ie, i have been using firefox for a really long time now. or
should i still update just to make sure?

Speedy Gonzales
27-12-2008, 05:40 PM
Nah I wouldn't worry about it.

Unless you want to install more updates, after you install IE 7

apsattv
28-12-2008, 05:16 PM
I thought there are older system files that installing IE7 replaces? even if you don't use IE at all.