No to free smiles…have no idea what it even is. No to refunds on line. Yes…I am familiar with task manager and regedit. Not sure about command post though I’m a quick learner. Just downloaded hijack and saved to the desktop. Going to first update Malware and run it again. Then I’ll do Hijack. I’ll also go to one of my other forums and see if I can post.
Hi Bagger
I meant if you can bring up task manager, or regedit or run or command now or if perhaps some malware is preventing you from doing that. I didn't mean if you knew how to use those features, just if they can be used without any problems.
Sorry for the misunderstanding. Yes… Ican get to regedit and task manager. I went to another forum I belonged to and successfully uploaded a JPEG and word doc. Below is the most recent Malware scan. It did find one threat. I’ll also try attaching the .txt file. In the next post I’ll cut-n-paste the hi-jack log. Malwarebytes’ Anti-Malware 1.44 Database version: 3673 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/1/2010 2:52:31 PM mbam-log-2010-02-01 (14-52-31).txt Scan type: Full Scan (C:|) Objects scanned: 234776 Time elapsed: 40 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:56:58 PM, on 2/1/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe C:\Program Files\Norton Online\Engine\1.2.0.53\ccSvcHst.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe C:\Program Files\Norton Online\Engine\1.2.0.53\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\WINDOWS\system32\hphmon04.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\vVX3000.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\HPHipm11.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Jim and Teresa\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080320 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Symantec Norton Safety Minder BHO - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\1.2.0.39\coIEPlg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM..\Run: [RoxWatchTray] “C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe” O4 - HKLM..\Run: [RoxioDragToDisc] “C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe” O4 - HKLM..\Run: [PDVDDXSrv] “C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe” O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup O4 - HKLM..\Run: [dscactivate] “C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe” O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe O4 - HKLM..\Run: [HPHUPD04] “C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe” O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM..\Run: [LifeCam] “C:\Program Files\Microsoft LifeCam\LifeExp.exe” O4 - HKLM..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU..\Run: [EA Core] “C:\Program Files\Electronic Arts\EADM\Core.exe” -silent O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jim and Teresa\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe O23 - Service: Norton Online (NOF) - Symantec Corporation - C:\Program Files\Norton Online\Engine\1.2.0.53\ccSvcHst.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe – End of file - 10380 bytes
Hi Bagger
I'm not an expert in HiJackThis logs, but I am wondering about this file. It may be nothing since I'm not an expert.
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
I don't think you have a Dell computer. I also notice that you have an old version of Java and Adobe. We'll have to wait till someone can check out your log.
I do have a Dell.
Calls,
I totally believe you got trojan.pedief.g from yahoo. I was just on the CBS forums and got attacked by the same thing. Insight caught it and said that it had quarentined and removed it. Located in my Firefox cache. Now I am totally freaked and P.O'd that CBS could not know that something like that is there. I'm doing a scan and cleared my FF cache. I guess my lappy is fine. Norton saved the day.
I had updated adobe and flash like a week ago.
Stupid Virus Ruined my breakfast.
Hi Bagger
I've asked someone else to help out here with reading these logs and checking out if you are all cleaned up yet.
Bagger:
Are you saving these logs in Notepad before saving them to your desktop???
ray of sunshine, are you replying to me or bagger? My OP was about trojan.Pidief.G being blockec. I was just wanting to know if there was more that I needed to do? Didi I need to delete anything from my system? There was nothing noted in the quarantine and the alert seemed to indicate tha the issue was resolved. But not sure if I need to delete anything as it indicated that the file name was
C:\Users\MYpc\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Low\Content.ie5\I3uls7th\
ohdfe02c5cv0100f007006rd9513401986c7201049kedbe917[1].pdf
Now I try to find this file and I can't. So if this was blocked at point of contact, why does it indicate that something is in the location above?
also, why is the title of my original post chnaged? I did not submit a HJT scan log. My question was specific to my issue and now the thread has gone off into a different direction.
Also I have seen other threads where auto protect blocked something ans the user has something in quarantine. Mine did not have anything in quarantine.
again my notification is as follows:
Risk
Trojan.Pidief.G
Risk level
High
Componenet
Auto Protect
Action Taken
Blocked
Status
Blocked
Recommended Action
Resolved No Action
So is it that autoProtect works in different way? Like in my case it was an atempt from a website (drive by??) and thus was blocked before entering. And in other people's cases it is something that got on the computer and then attempted to activate. Autoprotect stopped it and then had to quarantine?
Just want to make sure that there is nothing more I need to do. It is the fact that others are reporting quarantined items and I have not such, that is concerning me. Should I also have something quarantined too?
Calls,
I was responding in regards to you. I also got attacked while visiting a normal web page in the forums of CBS (television station website). Norton caught it in my temp files (cache) Just as it did you. Norton removed it from my cache and quarentined it and reported it back to Norton.
I did full scans with NIS2010 and Malwarebytes and everything came back clean. I deleted my cache (temp files) for peace of mind.
If it was blocked by norton and removed and all scans of come up clean since. We both should be fine.
My statement is just regarding the Trojan.Pidief.G attack.
Now to try and answer your question
Now I try to find this file and I can't. So if this was blocked at point of contact, why does it indicate that something is in the location above?
and If I am incorrect I hope some one will tell me if I am wrong, but I think the infected advertisement or whatever started to store itself in your IE temp files, and once it started entering, norton scanned and analyzed it and took action in a matter of seconds. Thats why it shows a location in your norton history report, but now there is nothing there in that location. It was removed or showing you the intended target for infection.
rayofsunshine
Yes I am Thanks floplot
My bad Calls. I did it when I discovered I couldn’t save attachments to the post. I tried to capture what scan I was pasting in the body by editing the subject line. My apologies.
Hi Bagger
It's hard to get anyone to try and make out what your logs are showing when all the lines of it are run all together. These logs are usually made line by line with one item per line, not like all one giant long sentence. It doesn't look like you copied it from the logs themselves.
Bagger
Just that I'm not really good at understanding all this and it was confusing me, your issue as it related to my issue
Thanks for your feedback Rayof sunshine
Now when you say that it removed it from your cache and quarantined it, do you you actually had an item in the quarantine history? In my case there was nothing in the quarantine history, but there was some indication in the regular history that it submitted information to Norton
Just wanting to clarify if you actually had an entry in your quarantine history regarding this or if by "quarantine" you meant Norton stopped it and kept it from entering your system
Hi Bagger
Are you pasting from notepad?
Try using wordpad. Notepad is notorious for stringing lines together.
Hi Bagger
If you are using a pop up blocker, please either disable it or allow this site into it. That may be blocking your ability of using the add attachment feature.