|
|
12-20-2011, 03:42 PM | #2 |
Supporter
Join Date: Jan 2004
Location: Liberty
|
I thought i had it removed, but it came back....twice.
I finally backed up and restored to factory settings. Clean as a whistle now. All that reinstalling sure was a PIA, but at least now i am sure it's gone. |
Posts: 16,766
|
12-20-2011, 03:47 PM | #3 |
Veteran
Join Date: Nov 2011
Location: Villa Straylight
|
That's the only way you can be sure. Anti-malware tools are too spotty and inconsistent. Obviously this thread speaks volumes to the kind of snake oil is being sold by AV and Anti Malware vendors as well. Circumventing these things is very trivial for anyone who knows what they are doing.
|
Posts: 2,367
|
12-20-2011, 10:42 PM | #4 |
Got swag?
Join Date: Aug 2003
Location: Madison, MS
|
It also scares me the number of novice users running combofix at the first sign of a infection. It should really be used at a last resort - before a wipe and reload.
|
Posts: 11,847
|
12-21-2011, 12:00 AM | #5 |
Would an idiot do that?
Join Date: Nov 2000
Location: Arizona
|
I've gone back and forth with that in my head... I've never had a problem with it, but I've thought about editing the OP to include "for starters, reboot into safe mode, scan with malwarebytes & antivirus, etc" ... "and for a kill-it-with-fire approach, here's combofix...". I actually started editing it last night, but thought it came off like it was so time consuming, you might as well just restore.
|
Posts: 55,567
|
12-21-2011, 11:24 AM | #6 |
Got swag?
Join Date: Aug 2003
Location: Madison, MS
|
To add to fish's instructions:
For XP users : Disabling system restore will automatically wipe all restore points. Right click on My Computer and select System Restore tab and you will have a checkbox to turn off system monitor - do this. After repairing the system go back to same tab and turn it back on. |
Posts: 11,847
|
12-21-2011, 12:27 PM | #7 |
MY LITTLE #15
Join Date: Dec 2004
Location: Springfield, MO
|
AAAAAAGGGGGGGGGHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
Posts: 63,445
|
12-22-2011, 09:27 AM | #8 |
Everything is Awesome!!!!!
Join Date: Jul 2008
Location: The Pitt
|
|
Posts: 10,934
|
12-22-2011, 12:35 PM | #9 |
MY LITTLE #15
Join Date: Dec 2004
Location: Springfield, MO
|
Got the flashblock add-on on Firefox. Been roaming around CP for about 20 minutes, and my webroot just blocked a rogue. I'm still here, though, and not Vista Internet Security 2012 pop-ups....yet.
I posted this on Facebook, but I'll put it on here. It's a knb.exe rogue file that attaches itself to any executable you try to run. The information on bleepingcomputer.com was a huge help. This time, it caught it whenever I clicked to go into the Media Center forum. I've been browsing different threads, including one that I know I was in before when it happened. I've also been posting on a few people's profile pages. I've got about 10 minutes before I need to head back to work, so I'll keep snooping around here and see what happens. |
Posts: 63,445
|
12-22-2011, 11:09 PM | #10 |
MVP
Join Date: Mar 2011
|
Yea I got that Vista Internet Security crap the other day as well. I did a restore and everything appears fine. I have since added MSE to my computer so hopefully that will do the trick.
|
Posts: 5,831
|
12-24-2011, 10:20 AM | #11 |
MY LITTLE #15
Join Date: Dec 2004
Location: Springfield, MO
|
Annoying. I have to disable flashblock for some sites, but, if I forget to enable it, then something always, without fail, triggers my anti-virus on this site.
|
Posts: 63,445
|
12-24-2011, 11:47 AM | #12 |
M-I-Z S-E-C
Join Date: Apr 2009
|
Just cleared out the Vista Antispyware bullshit. Who the **** spends their free time making this shit? What's the ****ing point?
|
Posts: 6,039
|
12-24-2011, 09:32 PM | #13 |
MY LITTLE #15
Join Date: Dec 2004
Location: Springfield, MO
|
Just got hit again. Did a system restore, ran the now usual scans, and downloaded chrome.
|
Posts: 63,445
|
12-25-2011, 04:22 PM | #14 |
....
Join Date: Apr 2009
Location: Somewhere Kansas
|
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:18:08 PM, on 12/25/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE D:\HiJack This\HijackThis.exe C:\Documents and Settings\Sara\Local Settings\Application Data\xxn.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=...4wu25w87023115 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsearcher.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=...4wu25w87023115 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsearcher.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: BHO Project - {66D8FBA6-D90F-40A9-AC55-84896F79CA69} - C:\Program Files\Object\bho_project.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2011\ARO.exe -rem O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Acer VCM.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microhis systems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe -- End of file - 6904 bytes My wife's pc is sick. This is the printout after running HyjackThis. Already tried everything listed so far and nothing is working. Thanks. |
Posts: 27,731
|
12-26-2011, 11:01 AM | #15 | |
Would an idiot do that?
Join Date: Nov 2000
Location: Arizona
|
Quote:
|
|
Posts: 55,567
|
|
|