Username:    Password:    Remember me     
Google
 

Forums


Malwareteks :: Forums :: Malware Support :: Inactive Malware Threads
 
<< Previous thread | Next thread >>
[INACTIVE] Friends Log (VMarm)
Moderators: ShadowPuterDude, Greg, D3m3nt3d, Brandon, Vmarm, peterparker, siljaline, jholland1964, TurcoLoco, Windsor, JeanInMontana, KZ, RatHat, Jason Amison, MrCharlie
This thread is now closed
Author Post
Vmarm
Mon Feb 19 2007, 06:06PM


Registered Member #7
Joined: Mon May 01 2006, 07:44PM
Location: St Louis, MO
Posts: 9
Thanked 0 times in 0 posts
Most recent log after snitfraudfix
1171926403_7_FT0_hijackthis.log
'You cannot succeed until you have failed'
Back to top
ShadowPuterDude
Mon Feb 19 2007, 06:52PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
Looking at her log it looks like she has Norton Anti-Virus installed on her system. Is this correct?

Uninstall Webshots. This is Spyware.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Weather Studio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\Weather Studio\bin\WeatherStudio.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Weather Studio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\Weather Studio\bin\WeatherStudio.dll (file missing)
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm020YYUS
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Run CCleaner

Attach a new HijackThis log.

Run BitDefender Online and PandaActive Scan. Attach the logs from those scanners. The BitDefender log is a HTML file just change the file extension to txt before attaching the file.

[ Edited Mon Feb 19 2007, 06:59PM ]

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
AngelEye
Tue Feb 20 2007, 12:01PM
Registered Member #58
Joined: Mon Feb 19 2007, 06:10PM
Posts: 2
Thanked 0 times in 0 posts
Today's Hijack this is attached.

Now that Internet Explorer is no longer my main browser, I have no add ons in Firefox to enhance the experience. When I login to MySpace and go to my profile, I have a jumbled page, line running down the left and no music. Everyone else views it and hears it fine but something has changed that is preventing me from a normal, pleasurable internet browsing experience. Any ideas?? Vanessa shut down the add ons in IE so I lose the music experience but everything else is laid out properly. Minor glitches and the PC still runs fairly slow. I think some of the internet options may not be correct and I might be missing an add on or two to load the pages properly. Any fixes??
1171990907_58_FT558_hijackthis.log
AngelEye
Back to top
ShadowPuterDude
Tue Feb 20 2007, 04:29PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
You probably need to install Flash for Firefox, configure Firefox for Java.

To configure Java for Firefox. In the Control Panel double-click the Java icon. Click on the Advanced tab, expand Default Java for browsers by clicking on the + sign. Make sure both Microsoft Internet Explorer and Mozilla Family have checkmarks. Click the Apply button then click on OK. Now Java is configured for Firefox and Internet Explorer.

To get the Adobe Flash Player for Firefox got to http://www.adobe.com/products/flashplayer/

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to DefWatch ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

DefWatch

Repeat the process for the following Services:[blockquote]Norton AntiVirus Auto Protect Service or navapsvc (Whichever is present)

Norton AntiVirus Client or Norton AntiVirus Server (Whichever is present)Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
Choose Kill Process. Click on the "Back" Button. Click the 'Scan' button.

Place a checkmark in the box next to the following lines:
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} - http://secure.aconti.net/acontix/goodthinxx.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Open ExplorerXP navigate to and DELETE the following:
C:\Program Files\NavNT
C:\Program Files\Norton Internet Security
Now run CCleaner.

Reboot

Download:
- MGTOOLS.zip

Extract the contents of the zip file to the root directory of drive C:\ (C:\MGTOOLS). This will create a folder named MGTOOLS with 5 files in it.

Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\MGTOOLS and locate ShowNew.bat and double-click on it to run it. ( Do not attempt to run the program from inside the ZIP file or by using Winzip. It will not work properly. ) It will create a file named newfiles.txt in the root of drive C: (C:\newfiles.txt) . This log will also popup in a notepad window which your can just close.

Now locate GetRunKey.bat and double-click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close.

Possible Error Messages
  • If your newfiles.txt or runkeys.txt log appear to be empty or semi-empty or if you get an error message similar to the below when running ShowNew.bat or GetRunKey.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS
    C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.


    To fix the above error message, choose the download below which is appropriate for your system
    • For Windows XP Pro: download and run: XPproFix
    • For Windows XP Home: download and run: XPHomeFix
    • For Windows 2000: download and run: W2KFix

    Then run ShowNew.bat or GetRunKey.bat again and attach the log.

  • A possible second type of error message may occur as shown in the blockquote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem

[color]16 bit MS-DOS Subsystem[color]

drive:\program path
XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application.

-or-

16 bit MS-DOS Subsystem
drive:\program path
SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.


After attempting to fix the above errors, run ShowNew.bat or GetRunKey.bat again and attach the log.

NOTE: For Win9x and WinMe users! ShowNew now supports Win9x and WinMe; however, it makes the assumption that you have Windows installed on drive C. If you do not have Windows installed on drive C, it will not work properly.

Paste the contents of both C:\newfiles.txt and C:\runkeys.txt to your reply

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
AngelEye
Tue Feb 20 2007, 07:30PM
Registered Member #58
Joined: Mon Feb 19 2007, 06:10PM
Posts: 2
Thanked 0 times in 0 posts

I did everything requested however there were some components on the HJT that you listed that were not present. Also- I could not remove DefWatch- The program would not allow it but I did disable it. Process Mgr only had the bottom VPtray to kill.

I completed everything else.

Please find attached ShowNew and GetRunKey logs for your review.

Thank You Again for all your help!!


1172017825_58_FT558_newfiles.txt
1172017825_58_FT558_runkeys.txt
AngelEye
Back to top
ShadowPuterDude
Tue Feb 20 2007, 10:09PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
Download
- Pocket Killbox
- ExplorerXP
- CCleaner Slim

Using Add or Remove Programs in the Control Panel; uninstall the following:
Java 2 Runtime Environment, SE v1.4.2
MarketResearch
ProductContext
System Alert Popup
Viewpoint Media Player (Remove Only)
WinMX


Copy the contents below to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
"user32.dll"=-
"rare"=-
Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:
  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\Downloaded Program Files\wsaxffmpeg.dll
    C:\WINDOWS\Downloaded Program Files\wsaxmediauploader.ocx
    C:\WINDOWS\Downloaded Program Files\wsaxupdater.dll
    C:\WINDOWS\SYSTEM32\DRIVERS\hosts
    C:\Documents and Settings\Angela\Local Settings\Temp\MAR2.tmp
    C:\Documents and Settings\Angela\Local Settings\Temp\ mon000.log
    C:\Documents and Settings\Angela\Local Settings\Temp\ mon001.log
    C:\Documents and Settings\Angela\Local Settings\Temp\plugtmp
    C:\Program Files\Video ActiveX Object\isamntr.exe
    C:\Program Files\Video ActiveX Object\pmsnrr.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:
C:\Program Files\Video ActiveX Object
C:\Program Files\Webshots
C:\WINDOWS\Downloaded Program Files\wsaxffmpeg.dll
C:\WINDOWS\Downloaded Program Files\wsaxmediauploader.ocx
C:\WINDOWS\Downloaded Program Files\wsaxupdater.dll
C:\WINDOWS\SYSTEM32\DRIVERS\hosts
Now run CCleaner.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to .

Do the following:
Start -> Run
type msconfig.exe
click OK

Click the General tab, and then click Normal startup, click OK, and then restart the computer when you are prompted

Post the following logs:
1. ShowNew
2. GetRunKey
3. HijackThis

Make sure to tell me how things are working.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
 

Jump:     Back to top
Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System

< ASAP Member Sites | Privacy Policy | Infected? | Want to Help? | Software Piracy | Malware Complaints | About Us | Contact Us | Terms of Service >

Copyright 2006-2009 MalwareTeks
This site is powered by e107, which is released under the terms of the GNU GPL License.


Banner