Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91844 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] NEED Hijack log help PLEASE ANDTHANK YOU.


  • This topic is locked This topic is locked
47 replies to this topic

#16 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 04 April 2008 - 06:07 PM

This is weird. It did this yesterday,but cleared-up to normal on a reboot. It's funny, the lay-out of windows is even different, where "my computer" was on the desktop before, now it's in the start menu, etc., etc., and all my pics/files aren't on the desktop, and "my documents" contains nothing but the original empty folders, when it was like full before. , like I said, it did this yesterday, but changed back to normal on a start-up. It's as if it thinks I'm a different user with a whole different desktop and files or something, but it doesn't allow me to log in or out, only has ONE user registered....Barney/Administrator, I KNOW it used to show TWO users, Barney AND Administrator. I reallly think all my stuff is still on here somewhere. Restore doesn't help. Help????

    Advertisements

Register to Remove


#17 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 04 April 2008 - 07:09 PM

As I think about this and ask colleagues about this situation ( which I will do) take some time and back up all important documents/pictures and so forth.
Just in case things continue to get worse and a reformat is a probability .
Certainly sounds to me like windows is about to crash on you. Things are changing for no apparent reason . Weather this be about Malware which by the looks of combofix you certainly had a lot of , or be it just a windows error situation the probability exists your about to crash. So it is best to be ready to minimize problems ,Heart aches and Heart breaks..

All the tools we have used I use on many many computers over the years without a single issue. So I can't in all reality blame them.

You have tried system restore more than 1 time I assume ? Going back further each time ?

You mentioned you do not have any of the original disks. This may emnd up to be a bad situation as a reformat isn't a possibility unless there is a back up on the computer as listed by an alternative hard drive.

When you click My computer / you will see listed Local disk C more than likely.

Do you see another local disk listed ?

_____________________________

At this point just answer my questions as best you think you can.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#18 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 04 April 2008 - 07:15 PM

As I think about this and ask colleagues about this situation ( which I will do) take some time and back up all important documents/pictures and so forth.
Just in case things continue to get worse and a reformat is a probability . Unfortunatly without any disks that came with the compuer you will have to do one of 2 things.
Contact the manufacturer of the computer \or
Take it to a computer shop to have windows reinstalled. At this point I don't think a repair is in order. ( in case they mention it)

Certainly sounds to me like windows is about to crash on you. Things are changing for no apparent reason . Weather this be about Malware which by the looks of combofix you certainly had a lot of , or be it just a windows error situation the probability exists your about to crash. So it is best to be ready to minimize problems ,Heart aches and Heart breaks..

All the tools we have used I use on many many computers over the years without a single issue. So I can't in all reality blame them.

You have tried system restore more than 1 time I assume ? Going back further each time ?

You mentioned you do not have any of the original disks. This may emnd up to be a bad situation as a reformat isn't a possibility unless there is a back up on the computer as listed by an alternative hard drive.

When you click My computer / you will see listed Local disk C more than likely.

Do you see another local disk listed
?

_____________________________


At this point just answer my questions as best you think you can.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#19 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 05 April 2008 - 06:07 AM

Go to this web site and look at the chart. I want you get all the services set up the way Microsoft intended by default. More than likely your plug and Play service is shut off. But we should ckeck to see that the rest of them are correct.

Do this by:

Going to Start " Run " type / copy in : Services.msc " and click OK.
Look at each and every name on the chart then
Double-click on it on your computer.

Then as start up type choose the default setting. for XP home/ pro depending on which version of windows you have.

Click APPLY then OK for each one.

When there all done reboot the computer.

Check again to see if the device manager is working now.

Also try to connect to the internet.






________________________________

Still no internet connection ?

Try this:

download winsock fix.exe by explicit from here
to your desktop.
Click on the file to open it.
Choose fix and follow the prompts.

Let me know how all this goes.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#20 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 05 April 2008 - 06:38 AM

I've tried system restore numerous times, HOWEVER it only offers me ONE restore point, last Friday. The calender part won't let me change months. The only drives listed are C, D-removable disc (which says insert disc when I click on it), and E-cd drive. I found and backed-up to cd my pics, etc. Seems all the stuff is in the user files I can't log on in. There's 3 users, Barney (where even my desktop stuff is hiding), BarneyHomeComputer, and Administrator, HOWEVER the computer gives me NO option of logging-on as just Barney. It logs on as BarneyHomeComputer (I don't have a CLUE where that came from and opens HIS desktop, not mine? I try Switch Users, but it does nothing to allow a different log-on. HOW can i force the computer to log me on to that user account? Can i download a driver for the modem if that's an issue after I get my desktop back if possible? Thanks, Steve W.

#21 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 05 April 2008 - 01:58 PM

OK!!!! I did the "Services.msc" thing (took a while, almost all things had been disabled, but I restored according to the website you sent) now I can get on the internet and the device manager is showing a bunch of stuff. My NEXT problem is getting logged-on to where's my STUFF is available, as "Barney" and not "Barney/HomeComputer". Tell me what to do next, should I revert back to your prior posts and update Java, etc.???? I still don't have my normal desktop, etc., but it appears a LOT more is working now. THANK YOU, Steve W.

#22 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 06 April 2008 - 05:47 AM

What has happened is the old username (Barney) was so corrupt windows couldn't boot any more because of
malware and trying to fix it . Something that happens from time to time with heavily infected machines.
So it created Barney/HomeComputer.
We are now going to try and get your old data and information all moved over to a new name.
Barney is no more.
Some things can not be moved such as printer settings wallpaper and screen savers.
These will all have to be reconfigured later. This explains your desktop being different.
Least of your worries.








Using windows explorer.
I want you to navigate and see if this folder exsists.
C:\Documents and Settings\Barney
If it does we are in luck and you may continue.



__________________________________
A. Create a New User Profile


1. Log on as the Administrator or as a user with administrator credentials. (Barneys Home computer should work.)
2. Click Start, and then click Control Panel.
3. Click User Accounts.
4. Under Pick a task, click Create a new account.
5. Type a name for the user information, and then click Next.
6. Click an account type, and then click Create Account
7. Go ahead and create a new account name. This will be the name you use to logon to windows once we have all this done.




_______________________________________________________
B. Copy Files

1. In Windows Explorer, click Tools, click Folder Options, click the View tab, click Show hidden files and folders, click to clear the Hide protected operating system files check box, and then click OK.
2. Locate the C:\Documents and Settings\Barney << Old_user name
3. Press and hold down the CTRL key while you click each file and subfolder in this folder,

except the following files:
Ntuser.dat
Ntuser.dat.log
Ntuser.ini

Do Not copy those.


4. On the Edit menu, click Copy.
5. Locate the C:\Documents and Settings\New _user, where New_Username is the name of the user profile that you created in the "Create a New User Profile" section.
6. On the Edit menu, click Paste.
7. Log off the computer, and then log on as the new user.


___________________________________________________________
Let me know what e mail program you were using.
Or if you just care to reset up your E Mail you can do that.

Let me know how all this went.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#23 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 06 April 2008 - 06:58 AM

Ok, did all that, created "Owner" as user, moved all of "Barneys" stuff, then rebooted to the same desktop, seems the computer created "OwnerHOMECOMPUTER" for me.....and logged it in!

#24 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 06 April 2008 - 07:03 AM

OK so at this point everythin seems OK?? Please post a new HJT log if everything seems OK.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#25 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 06 April 2008 - 07:23 AM

Nope, the desktop is not OK, it's the same generic, instead of booting up my created "owner" desktop it did the same thing it did to the "Barney" user, recreated it's own user adding "Homecomputer" to the name and added it to Documents and Settings to boot from. Maybe a ball peen hammer should be the next "tool" I use!!!!
Anyway, here's the latest Hijack scan, should I re-run spybot and adaware or did my restore attempts negate anything we did since?
Of course the GOOD news is the modem and all seems to be working now since I restored the default settings to about 100 things in the Services deal that were disabled by something.
THANK YOU

Logfile of HijackThis v1.99.1
Scan saved at 8:13:40 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoconfig.cpqcorp.net
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF3612.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165524748756
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v45/sol/sol.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v46/wof/wof.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    Advertisements

Register to Remove


#26 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 06 April 2008 - 08:24 AM

Hmm.. Strange to be sure. Let me ask you this: When you shut down and restart. What accounts/user names are you presented with to log on with ?
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#27 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 06 April 2008 - 09:06 AM

Although in Documents and Settings, there's folders: "Barney","Barney.HOMECOMPUTER", "All Users", "Administrator", My just created "Owner", and now the computer generated "Owner.HOMECOMPUTER", the only log in options at start-up are "Barney" and now "Owner", no reference to the "HOMECOMPUTER" on either, and they both boot-up the same generic screen with basic icons. If I open the original "Barney" file, or my new "Owner" file manually, I can access my pictures, music, etc. no problem from there, and open the "Desktop" file, and there's all my prior desktop icons and links, but SOMETHING in there won't allow SOMETHING else to happen!! Have you ever heard of a computer creating it's own users before? Thanks, Steve W.

#28 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 06 April 2008 - 09:07 AM

That computer also has AVG antivirus on it if needed I can scan with it, it too had been disabled before I reactivated it in "Services".

#29 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 06 April 2008 - 10:24 AM

I think I see now.
Owner is working just fine. You can log off and log onto to it correct ?
The desktop settings have to be replaced. All your icons/shortcuts /wallpaper/screen savers and such.

Do not attempt to replace any shortcuts from an old folder to your new desktop. Just do the work of creating all the shortcuts again.



Now let's get Java updated.



You need to update SunJava for security reasons.
Updating Java:
Download the latest version of
Java Runtime Environment (JRE) 6 Update5

  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5
    ... allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe
    to install the newest version.


Let me know how things seem now.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#30 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 06 April 2008 - 12:51 PM

No, 'Owner' is not working fine, it recreated it's own version as 'Owner.HOMECOMPUTER" and substitutes it for my login as 'Owner'.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users