Forum Home
Press F1
Thread ID: 138112	2014-10-06 08:24:00	HJT Log ... any chance you could have a look Speedy ??	SP8's (9836)	Press F1

Post ID	Timestamp	Content	User
1385712	2014-10-06 08:24:00	This is from a computer that belongs to the secretary of a club I belong to and there's no way I'm letting club business put on it until it's cleaned out. SAS & MB get blocked and close down, there's a couple of hundred "Optimisers, Addons, & other associated crap and I didn't have time to do anything more than get a HJT Log off it tonight. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:24:31 p.m., on 6/10/2014 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v9.00 (9.00.8112.16575) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe C:\Program Files\TuneUp Utilities 2014\TuneUpUtilitiesApp32.exe C:\Program Files\Windows Defender\MSASCui.exe C:\hp\support\hpsysdrv.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE C:\Program Files\Roxio 2010\5.0\CPMonitor.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Real\RealPlayer\Update\realsched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Users\Lorna\AppData\Roaming\Spotify\Data\Spotif yWebHelper.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\ehome\ehmsas.exe C:\Windows\System32\mobsync.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\hp\kbd\kbd.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\Windows\system32\DllHost.exe C:\Program Files\Real\RealPlayer\RealPlay.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = search.us.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ie.redirect.hp.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - (no file) R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file) R3 - URLSearchHook: (no name) - {3c35ad63-af1d-4e21-b484-b6651a8efcf9} - C:\Program Files\RadioRage_4j\bar\1.bin\4jSrcAs.dll O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\Browser Plugins\IE\rndlbrowserrecordplugin.dll O2 - BHO: SalaeesaCheckkeRe - {38A36149-D99C-BA04-C572-B2B3DC57C86C} - C:\ProgramData\SalaeesaCheckkeRe\_P5x.dll O2 - BHO: Toolbar BHO - {48909954-14fb-4971-a7b3-47e7af10b38a} - C:\PROGRA~1\RADIOR~2\bar\1.bin\4jbar.dll O2 - BHO: ContentBlockerBrowserHelperObject - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plu gin.dll O2 - BHO: Search Assistant BHO - {5848763c-2668-44ca-adbe-2999a6ee2858} - C:\Program Files\RadioRage_4j\bar\1.bin\4jSrcAs.dll O2 - BHO: dealeSiter - {5B10C86F-A963-736C-ECB5-B50268D94CEF} - C:\ProgramData\dealeSiter\zbCdoDr7.dll O2 - BHO: SaalessMaugNeet - {5EFEE57B-11E1-4FBA-373F-961FC2C59223} - C:\ProgramData\SaalessMaugNeet\cMxhUf_WSZ.dll O2 - BHO: VirtualKeyboardBrowserHelperObject - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_p lugin.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll O2 - BHO: Convaerter Masteu - {A78BC923-DD0F-51EC-10FF-C38D547C63B1} - C:\ProgramData\Convaerter Masteu\aI.dll O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll O3 - Toolbar: RadioRage - {78ba36c9-6036-482b-b48d-ecca6f964b84} - C:\Program Files\RadioRage_4j\bar\1.bin\4jbar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio 2010\5.0\CPMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\Update\realsched.exe" -osboot O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Lorna\AppData\Roaming\Spotify\Data\Spotif yWebHelper.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ISUSPM] -scheduler O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_p lugin.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: URLs check - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - upload.facebook.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - platformdl.adobe.com O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O20 - AppInit_DLLs: c:\windows\system32\cnc240i32.dll c:\progra~1\optimi~1\optpro~2.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe O23 - Service: Google Update Service (gupdate1c9eaf3c7bfad30) (gupdate1c9eaf3c7bfad30) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: RadioRage Service (RadioRage_4jService) - RadioRage - C:\PROGRA~1\RADIOR~2\bar\1.bin\4jbarsvc.exe O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc. exe O23 - Service: RoxMediaDB12 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2014\TuneUpUtilitiesService32.exe -- End of file - 12554 bytes Thanks SP8's	SP8's (9836)
1385713	2014-10-06 21:04:00	I'll start things off :D "RadioRage Toolbar installs a Mindspark toolbar" ie, mywebsearch : remove it TuneUpUtilities : sometimes these type of tools are malware, sometimes just crud that do more harm than good RealPlay.exe : why anyone would want to use that is beyond me :-) Not really malware (that may have changed ?) SalaeesaCheckkeRe Just sounds suspicious. Could be anything dealeSiter ,RadioRage_4j , search.us.com : suspicious Run Malwarebytes & Hitmanpro across it . Theres probably alot more malware on it. You'll also need to default IE to disable all the addons & browser hijackers . Kapsersky obviously not doing its job. A pitty, KAV used to be a good product .	1101 (13337)
1385714	2014-10-07 10:29:00	R3 - URLSearchHook: (no name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - (no file) R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file) Yup uninstall this R3 - URLSearchHook: (no name) - {3c35ad63-af1d-4e21-b484-b6651a8efcf9} - C:\Program Files\RadioRage_4j\bar\1.bin\4jSrcAs.dll O2 - BHO: SalaeesaCheckkeRe - {38A36149-D99C-BA04-C572-B2B3DC57C86C} - C:\ProgramData\SalaeesaCheckkeRe\_P5x.dll O2 - BHO: Toolbar BHO - {48909954-14fb-4971-a7b3-47e7af10b38a} - C:\PROGRA~1\RADIOR~2\bar\1.bin\4jbar.dll O2 - BHO: Search Assistant BHO - {5848763c-2668-44ca-adbe-2999a6ee2858} - C:\Program Files\RadioRage_4j\bar\1.bin\4jSrcAs.dll O2 - BHO: dealeSiter - {5B10C86F-A963-736C-ECB5-B50268D94CEF} - C:\ProgramData\dealeSiter\zbCdoDr7.dll O2 - BHO: SaalessMaugNeet - {5EFEE57B-11E1-4FBA-373F-961FC2C59223} - C:\ProgramData\SaalessMaugNeet\cMxhUf_WSZ.dll Have no idea what this is O2 - BHO: Convaerter Masteu - {A78BC923-DD0F-51EC-10FF-C38D547C63B1} - C:\ProgramData\Convaerter Masteu\aI.dll O3 - Toolbar: RadioRage - {78ba36c9-6036-482b-b48d-ecca6f964b84} - C:\Program Files\RadioRage_4j\bar\1.bin\4jbar.dll O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [ISUSPM] -scheduler O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe See if Optimiser Pro is installed uninstall it if it is O20 - AppInit_DLLs: c:\windows\system32\cnc240i32.dll c:\progra~1\optimi~1\optpro~2.dll I would also get adwcleaner (http:) run it then click on scan. after you uninstall the above programs ... If it picks up remaining folders / reg entries tick them and click on clean	Speedy Gonzales (78)
1385715	2014-10-07 19:46:00	Thanks guys. I'll find the time over the couple of weeks (maybe) to get this done ... How many more shopping days left until Christmas ???	SP8's (9836)
1385716	2014-10-07 20:36:00	Good fun to clean out, reasonable easy as well. Just time consuming. HJT only shows a fraction of where the infections are. Suggested Method in this order: Run Ccleaner Rkill - (kills the processes) Run Revouninstaller portable - Locate the obvious programs you want, optimisers etc, use the advanced mode to remove the folder structures and reg related files. then run the following programs: All programs mentioned can be obtained free from www.bleepingcomputer.com (http:) RogueKiller Adwcleaner Junkware Remover ( JRT) Malwarebytes Hitman Pro TFC (will remove temp files ccleaner misses) That should get rid of most, you can also use Combofix. Remove Kapsersky -- install Nod32 (trial will do for the meantime - NOT the online scanner) set it so it works to its full capacity in the settings ( thats important- many people install it and use with its default settings, which while are OK, the full settings are a lot better), make it do a FULL scan, it often will find things all the other programs miss, Nod will run through and often appears to slow at 98-99%, just let it finish. You really do need to run ALL the programs, as no one program will detect everything. Go back into your browser(s) and reset the home pages if you need to. Also have a look at the Addons in the browsers, make sure all fragments of the malware have gone. If you want to be doubly sure open Ccleaner, run the reg scan and look to make sure nothing from the infections are left behind, delete if they are. Depending on the amount of data, speed of computer, shouldn't take longer than a day (serious). Just a hint, BEFORE running Nod, delete the Adwcleaner folder in the C Drive. Some of the programs and NOD WILL detect infections in the quarantined folder of Adwcleaner (in Fact Nod will also detect it if its in the recycle bin) I'll find the time over the couple of weeks (maybe) to get this done You need to do it all in one hit, if you do some one day, some another etc, it will re-infect and you'll need to start again. JUST noticed it s Vista :eek: Backup data or image the drive FIRST -- Often when these infections are removed Vista can spit the dummy.	wainuitech (129)
1