0

Hi,
Has anyone else experienced this? I have two firewalls, and antivirus so i am surprised to say the least! But not that surprised..
Can anyone help me work out what is going on?

Cheers!

7
Contributors
13
Replies
14
Views
7 Years
Discussion Span
Last Post by crunchie
0

I found this at whois:

WHOIS - m1cr0soft.com

Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
Status: clientTransferProhibited
Dates: Created 19-apr-2009 Updated 06-jun-2009 Expires 19-apr-2010
DNS Servers: DNS14.HICHINA.COM DNS15.HICHINA.COM

I was referred to grs.hichina.com; I'm looking it up there.


Domain Name ..................... m1cr0soft.com
Name Server ..................... dns14.hichina.com
dns15.hichina.com
Registrant ID ................... hc992362914-cn
Registrant Name ................. soft M1cr0
Registrant Organization ......... M1cr0soft
Registrant Address .............. USA SAMOA
Registrant City ................. US
Registrant Province/State ....... US
Registrant Postal Code .......... 000000
Registrant Country Code ......... AS
Registrant Phone Number ......... +01.0467634823 -
Registrant Fax .................. +01.0467634824 -
Registrant Email ................ *********@m1cr0soft.com
Administrative ID ............... hc992362914-cn
Administrative Name ............. soft M1cr0
Administrative Organization ..... M1cr0soft
Administrative Address .......... USA SAMOA
Administrative City ............. US
Administrative Province/State ... US
Administrative Postal Code ...... 000000
Administrative Country Code ..... AS
Administrative Phone Number ..... +01.0467634823 -
Administrative Fax .............. +01.0467634824 -
Administrative Email ............ *********@m1cr0soft.com
Billing ID ...................... hc992362914-cn
Billing Name .................... soft M1cr0
Billing Organization ............ M1cr0soft
Billing Address ................. USA SAMOA
Billing City .................... US
Billing Province/State .......... US
Billing Postal Code ............. 000000
Billing Country Code ............ AS
Billing Phone Number ............ +01.0467634823 -
Billing Fax ..................... +01.0467634824 -
Billing Email ................... *********@m1cr0soft.com
Technical ID .................... hc992362914-cn
Technical Name .................. soft M1cr0
Technical Organization .......... M1cr0soft
Technical Address ............... USA SAMOA
Technical City .................. US
Technical Province/State ........ US
Technical Postal Code ........... 000000
Technical Country Code .......... AS
Technical Phone Number .......... +01.0467634823 -
Technical Fax ................... +01.0467634824 -
Technical Email ................. *********@m1cr0soft.com
Expiration Date ................. 2010-04-19 04:49:39

Maybe you should run HiJackThis and show us the report.

0

Moving to the viruses/malware board.

Check you dont have any dodgy entries in the HOSTS file. Prepaare a HijackThis log too.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37:14, on 16/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe
D:\jr-T2\T\ware\latest\TestXSLT_T\T_Studio\bin\Debug\T_Studio.vshost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\jr-T2\AdminDocs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TodoMain.txt.lnk = D:\jr-T2\AdminDocs\Todo\TodoMain.txt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O15 - Trusted Zone: *.1and1.co.uk
O15 - Trusted Zone: *.888.com
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.amd.com
O15 - Trusted Zone: *.cnet.co.uk
O15 - Trusted Zone: *.download.cnet.com
O15 - Trusted Zone: *.codeplex.com
O15 - Trusted Zone: *.codinginparadise.org
O15 - Trusted Zone: *.comodo.com
O15 - Trusted Zone: *.csshub.com
O15 - Trusted Zone: *.dabs.com
O15 - Trusted Zone: *.discountasp.net
O15 - Trusted Zone: *.dojotoolkit.org
O15 - Trusted Zone: *.domaintools.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.dreamtemplate.com
O15 - Trusted Zone: *.entertonement.com
O15 - Trusted Zone: *.facebook.com
O15 - Trusted Zone: *.fbcdn.net
O15 - Trusted Zone: http://www.free-av.com
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: ie7-js.googlecode.com
O15 - Trusted Zone: *.gstatic.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: http://www.hypergurl.com
O15 - Trusted Zone: http://www-307.ibm.com
O15 - Trusted Zone: *.iconobjects.com
O15 - Trusted Zone: http://virusscan.jotti.org
O15 - Trusted Zone: *.jr-t.com
O15 - Trusted Zone: http://*.keep-tube.com
O15 - Trusted Zone: http://www.keephd.com
O15 - Trusted Zone: *.lanware.co.uk
O15 - Trusted Zone: download.lenovo.com
O15 - Trusted Zone: *.liquidx.net
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.loombo.com
O15 - Trusted Zone: *.mfiles.co.uk
O15 - Trusted Zone: http://www.movies-links.tv
O15 - Trusted Zone: *.mozilla.org
O15 - Trusted Zone: http://mediaweb.musicradio.com
O15 - Trusted Zone: *.mysonicwall.com
O15 - Trusted Zone: *.nih.gov
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: http://www.popularmechanics.com
O15 - Trusted Zone: http://www.pr0digy.com
O15 - Trusted Zone: *.raphaeljs.com
O15 - Trusted Zone: http://www.rarlab.com
O15 - Trusted Zone: http://reflector.red-gate.com
O15 - Trusted Zone: *.rgsgames.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.servicom.co.uk
O15 - Trusted Zone: *.skybet.com
O15 - Trusted Zone: *.skybingo.com
O15 - Trusted Zone: *.skypoker.com
O15 - Trusted Zone: *.skyvegas.com
O15 - Trusted Zone: *.spiffycorners.com
O15 - Trusted Zone: *.superiorcasino.com
O15 - Trusted Zone: *.swfir.com
O15 - Trusted Zone: *.thecodecentral.com
O15 - Trusted Zone: *.toshiba-europe.com
O15 - Trusted Zone: http://www.phys.unsw.edu.au
O15 - Trusted Zone: *.videolectures.net
O15 - Trusted Zone: *.vmware.com
O15 - Trusted Zone: http://www.sv.vt.edu
O15 - Trusted Zone: http://www.walterzorn.com
O15 - Trusted Zone: http://www.watch-movies-online.tv
O15 - Trusted Zone: *.wikipedia.org
O15 - Trusted Zone: *.williamhill.com
O15 - Trusted Zone: *.williamhillcasino.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted Zone: *.ytimg.com
O15 - Trusted Zone: *.zachstronaut.com
O15 - Trusted IP range: 192.168.168.168
O15 - Trusted IP range: 192.168.1.254
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236783645078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258923827640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8671 bytes

Thanks for your help guys

0

Big problems to begin with where you stated:

I have two firewalls

The absolute rule is 1 firewall and 1 antivirus program should be running on a computer. So uninstall one to them immediately.
Then do the following:
Run HJT again and put check marks next to all of these entries:
O15 - Trusted Zone: *.1and1.co.uk
O15 - Trusted Zone: *.888.com
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.amd.com
O15 - Trusted Zone: *.cnet.co.uk
O15 - Trusted Zone: *.download.cnet.com
O15 - Trusted Zone: *.codeplex.com
O15 - Trusted Zone: *.codinginparadise.org
O15 - Trusted Zone: *.comodo.com
O15 - Trusted Zone: *.csshub.com
O15 - Trusted Zone: *.dabs.com
O15 - Trusted Zone: *.discountasp.net
O15 - Trusted Zone: *.dojotoolkit.org
O15 - Trusted Zone: *.domaintools.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.dreamtemplate.com
O15 - Trusted Zone: *.entertonement.com
O15 - Trusted Zone: *.facebook.com
O15 - Trusted Zone: *.fbcdn.net
O15 - Trusted Zone: http://www.free-av.com
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: ie7-js.googlecode.com
O15 - Trusted Zone: *.gstatic.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: http://www.hypergurl.com
O15 - Trusted Zone: http://www-307.ibm.com
O15 - Trusted Zone: *.iconobjects.com
O15 - Trusted Zone: http://virusscan.jotti.org
O15 - Trusted Zone: *.jr-t.com
O15 - Trusted Zone: http://*.keep-tube.com
O15 - Trusted Zone: http://www.keephd.com
O15 - Trusted Zone: *.lanware.co.uk
O15 - Trusted Zone: download.lenovo.com
O15 - Trusted Zone: *.liquidx.net
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.loombo.com
O15 - Trusted Zone: *.mfiles.co.uk
O15 - Trusted Zone: http://www.movies-links.tv
O15 - Trusted Zone: *.mozilla.org
O15 - Trusted Zone: http://mediaweb.musicradio.com
O15 - Trusted Zone: *.mysonicwall.com
O15 - Trusted Zone: *.nih.gov
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: http://www.popularmechanics.com
O15 - Trusted Zone: http://www.pr0digy.com
O15 - Trusted Zone: *.raphaeljs.com
O15 - Trusted Zone: http://www.rarlab.com
O15 - Trusted Zone: http://reflector.red-gate.com
O15 - Trusted Zone: *.rgsgames.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.servicom.co.uk
O15 - Trusted Zone: *.skybet.com
O15 - Trusted Zone: *.skybingo.com
O15 - Trusted Zone: *.skypoker.com
O15 - Trusted Zone: *.skyvegas.com
O15 - Trusted Zone: *.spiffycorners.com
O15 - Trusted Zone: *.superiorcasino.com
O15 - Trusted Zone: *.swfir.com
O15 - Trusted Zone: *.thecodecentral.com
O15 - Trusted Zone: *.toshiba-europe.com
O15 - Trusted Zone: http://www.phys.unsw.edu.au
O15 - Trusted Zone: *.videolectures.net
O15 - Trusted Zone: *.vmware.com
O15 - Trusted Zone: http://www.sv.vt.edu
O15 - Trusted Zone: http://www.walterzorn.com
O15 - Trusted Zone: http://www.watch-movies-online.tv
O15 - Trusted Zone: *.wikipedia.org
O15 - Trusted Zone: *.williamhill.com
O15 - Trusted Zone: *.williamhillcasino.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted Zone: *.ytimg.com
O15 - Trusted Zone: *.zachstronaut.com
O15 - Trusted IP range: 192.168.168.168
O15 - Trusted IP range: 192.168.1.254

In other words ALL of those O15 entries. Once you have placed the check marks then click the Fix Checked button. Exit HJT.
Then do this:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer. VERY IMPORTANT
Run a new HiJackThis scan and save the log. Post back here with the MBA-M log and the new HJT log.

0

Hi,
One of the firewalls is a hardware one :-)

Do i really need to remove all of my trusted websites (i have ie locked down except for websites i need js for)?

Thanks again

Big problems to begin with where you stated:
The absolute rule is 1 firewall and 1 antivirus program should be running on a computer. So uninstall one to them immediately.
Then do the following:
Run HJT again and put check marks next to all of these entries:
O15 - Trusted Zone: *.1and1.co.uk
O15 - Trusted Zone: *.888.com
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.amd.com
O15 - Trusted Zone: *.cnet.co.uk
O15 - Trusted Zone: *.download.cnet.com
O15 - Trusted Zone: *.codeplex.com
O15 - Trusted Zone: *.codinginparadise.org
O15 - Trusted Zone: *.comodo.com
O15 - Trusted Zone: *.csshub.com
O15 - Trusted Zone: *.dabs.com
O15 - Trusted Zone: *.discountasp.net
O15 - Trusted Zone: *.dojotoolkit.org
O15 - Trusted Zone: *.domaintools.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.dreamtemplate.com
O15 - Trusted Zone: *.entertonement.com
O15 - Trusted Zone: *.facebook.com
O15 - Trusted Zone: *.fbcdn.net
O15 - Trusted Zone: http://www.free-av.com
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: ie7-js.googlecode.com
O15 - Trusted Zone: *.gstatic.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: http://www.hypergurl.com
O15 - Trusted Zone: http://www-307.ibm.com
O15 - Trusted Zone: *.iconobjects.com
O15 - Trusted Zone: http://virusscan.jotti.org
O15 - Trusted Zone: *.jr-t.com
O15 - Trusted Zone: http://*.keep-tube.com
O15 - Trusted Zone: http://www.keephd.com
O15 - Trusted Zone: *.lanware.co.uk
O15 - Trusted Zone: download.lenovo.com
O15 - Trusted Zone: *.liquidx.net
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.loombo.com
O15 - Trusted Zone: *.mfiles.co.uk
O15 - Trusted Zone: http://www.movies-links.tv
O15 - Trusted Zone: *.mozilla.org
O15 - Trusted Zone: http://mediaweb.musicradio.com
O15 - Trusted Zone: *.mysonicwall.com
O15 - Trusted Zone: *.nih.gov
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: http://www.popularmechanics.com
O15 - Trusted Zone: http://www.pr0digy.com
O15 - Trusted Zone: *.raphaeljs.com
O15 - Trusted Zone: http://www.rarlab.com
O15 - Trusted Zone: http://reflector.red-gate.com
O15 - Trusted Zone: *.rgsgames.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.servicom.co.uk
O15 - Trusted Zone: *.skybet.com
O15 - Trusted Zone: *.skybingo.com
O15 - Trusted Zone: *.skypoker.com
O15 - Trusted Zone: *.skyvegas.com
O15 - Trusted Zone: *.spiffycorners.com
O15 - Trusted Zone: *.superiorcasino.com
O15 - Trusted Zone: *.swfir.com
O15 - Trusted Zone: *.thecodecentral.com
O15 - Trusted Zone: *.toshiba-europe.com
O15 - Trusted Zone: http://www.phys.unsw.edu.au
O15 - Trusted Zone: *.videolectures.net
O15 - Trusted Zone: *.vmware.com
O15 - Trusted Zone: http://www.sv.vt.edu
O15 - Trusted Zone: http://www.walterzorn.com
O15 - Trusted Zone: http://www.watch-movies-online.tv
O15 - Trusted Zone: *.wikipedia.org
O15 - Trusted Zone: *.williamhill.com
O15 - Trusted Zone: *.williamhillcasino.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted Zone: *.ytimg.com
O15 - Trusted Zone: *.zachstronaut.com
O15 - Trusted IP range: 192.168.168.168
O15 - Trusted IP range: 192.168.1.254

In other words ALL of those O15 entries. Once you have placed the check marks then click the Fix Checked button. Exit HJT.
Then do this:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer. VERY IMPORTANT
Run a new HiJackThis scan and save the log. Post back here with the MBA-M log and the new HJT log.

0

Thanks for the clarification on the firewalls.

jbennet called this when he moved your thread to this forum.

Moving to the viruses/malware board.

Check you dont have any dodgy entries in the HOSTS file. Prepaare a HijackThis log too.

Do i really need to remove all of my trusted websites (i have ie locked down except for websites i need js for)?

Evidently not "locked down" tight enough.
Obviously I would not have recommended the removal of those trusted sites if there were not bad sites listed there and there multiple sites on the list known to install unwanted programs and files. There are too many to list separately and I will not do so.
But a "sampling of notations concerning a good number of the sites you have listed as Trusted include:

Will flash up malware warnings from any good firewall program. Makes 9 registry changes, install 7 malware apps, will make 3 OLE echnges to your firewall. No uninstall option.

What happens; download software, register before install (no bank details), install, offer or free game given, now add bank details.

This site is a known Smitfraud-C website, which utilizes an ActiveX codec to trigger the distribution of the trojan. Don't go here, because Smitfraud is something you don't want to catch!

Free games! Just get a virus installed on your PC!

Listed on HMOS Domain Warning List

Closed my account recently small amount of money went missing...

Those are listings for only 6 of the different websites on your Trusted Sites. And when testing some of the others, MY security programs would not allow my computer to access them at all.
The choice is yours. Yes, I can see that "some" of the sites listed there seem to be clean sites but in that mix is a multitude of bad ones also, ones NOT to be Trusted, yet, there they are anyway, listed as trusted sites. I personally remove all entries from the Trusted Zone as it is generally unnecessary for them to even to be there.

If you don't want to follow recommended procedures to stop the hijacking, as GrimJack pointed out it very likely is, and jbennet indicated when he moved the thread to it's present location in the Viruses, Spyware and other Nasties forum then I can only say good luck.

Edited by jholland1964: n/a

0

As commando as i am, i don't want to go it alone!

I have removed all sites from the trusted list.

Can i ask where you got your info on the websites? And should i just bin ie for all internet transactions?!

I ran the anti malware and nothing showed up.

I also ran two other anti rootkit apps - also nothing.

Thanks for the clarification on the firewalls.

jbennet called this when he moved your thread to this forum.


Evidently not "locked down" tight enough.
Obviously I would not have recommended the removal of those trusted sites if there were not bad sites listed there and there multiple sites on the list known to install unwanted programs and files. There are too many to list separately and I will not do so.
But a "sampling of notations concerning a good number of the sites you have listed as Trusted include:


Those are listings for only 6 of the different websites on your Trusted Sites. And when testing some of the others, MY security programs would not allow my computer to access them at all.
The choice is yours. Yes, I can see that "some" of the sites listed there seem to be clean sites but in that mix is a multitude of bad ones also, ones NOT to be Trusted, yet, there they are anyway, listed as trusted sites. I personally remove all entries from the Trusted Zone as it is generally unnecessary for them to even to be there.

If you don't want to follow recommended procedures to stop the hijacking, as GrimJack pointed out it very likely is, and jbennet indicated when he moved the thread to it's present location in the Viruses, Spyware and other Nasties forum then I can only say good luck.

0

Here is the Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:16, on 18/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe
D:\jr-T2\T\ware\latest\TestXSLT_T\T_Studio\bin\Debug\T_Studio.vshost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\jr-T2\AdminDocs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TodoMain.txt.lnk = D:\jr-T2\AdminDocs\Todo\TodoMain.txt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236783645078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258923827640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 5876 bytes

You help is still greatly appreciated!

Edited by m00m: n/a

0

As commando as i am, i don't want to go it alone!
I have removed all sites from the trusted list.
Can i ask where you got your info on the websites? And should i just bin ie for all internet transactions?!
I ran the anti malware and nothing showed up.
I also ran two other anti rootkit apps - also nothing.

Some of the bad websites were all ready familiar to me from previous computer clean up but one way to tell if a website is clean is using Web Of Trust which is a small add on for both Internet Explorer and Firefox. It adds a small button to the top of the browser. When you go to a good website the button will be green, a questionable site will show as yellow/orange and one with poor reputation will show as red. Google searches will also show those same indicators next to the listings given. Now of course not all websites are listed, some have not yet been rated and naturally there is no way to rate every single website in the world but at least it gives some indication. By clicking on the button, whether on your browser or a google line you can get info given by others concerning the site in question. But as I said, when I see listings in the Trusted Zone I always check them out because much of the time they just aren't needed there. Occasionally there will be a completely unfamiliar site to me and I will asked the poster. Many times those are business related for the poster and their job requires them, those I would not recommend removing. But those are few and far between.
One "red flag" to me in Trusted Zone are gaming sites. Many require the install of ActiveX programs to use them and many are NOT good sites. Obviously some are fine. But many are not. Some of yours were not. Install WOT and you will find out which ones as I am not going to list them again here.
You said you ran MBA-M. Even though the log showed nothing I still need to see that complete log. What anti-rootkit programs did you run?
As for not using IE, that is your choice. It is not nearly as secure as Firefox but some sites do require it's use.

Edited by jholland1964: n/a

0

Hello ,

This is How the "Windows automatic Updates" work...

Microsoft inbuilt application contacts the Microsoft website for any updates / might notify u ..Based on the way how u have configured the windows updates..

Regards,

Sheltan T T


Hi,
Has anyone else experienced this? I have two firewalls, and antivirus so i am surprised to say the least! But not that surprised..
Can anyone help me work out what is going on?

Cheers!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.