Author Topic: [Inactive] Has OmniTech taken control of my security?  (Read 5221 times)

0 Members and 1 Guest are viewing this topic.

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #15 on: March 27, 2012, 06:33:17 pm »
I assume that "attach.txt " is the zip file that I pasted, as I did not see any such thing with the results from the initial scan.

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #16 on: March 27, 2012, 06:36:57 pm »
I'll go over my work. I think that I might have missed a step.

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 24727
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #17 on: March 27, 2012, 06:48:55 pm »
That hijackthis log was not the one I needed. Please follow the instructions posted above. The list I need is the one with just the startup programs. That might tell us why the program keeps getting installed.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #18 on: March 27, 2012, 06:56:56 pm »
Hi Hoov,

In your instructions, you told me to run "Hijacthis again" at the end of your post. Where I think that I'm goofing up is in running it in the first place. Do I run it before the download by DDS?:

"I am going to move this thread to the malware removal board, as it is probable that you still have malware installed on your computer.

We need to see some information about what is happening in your machine.  Please perform the following scan:

    Download DDS by sUBs from one of the following links.  Save it to your desktop.
        DDS.scr
    Double click on the DDS icon, allow it to run.
    A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
    Notepad will open with the results.
    Please copy and paste both logs into your next response. You may need more than one response.
    Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download and run hijackthis again and go to the Misc tools section, at the top there is a button marked Generate StartupList Log. Click that button, and a notepad window will open with the log. Copy the log and paste it in your next reply.  DO NOT check the two boxes next to the button."

Thank you.

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #19 on: March 27, 2012, 07:17:04 pm »
In other words, when the message appears: "DDS has created 2 log files," and I click "Okay," I have only the DDS.txt to post on the forum. The Attachh.txt file does not appear?

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 24727
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #20 on: March 27, 2012, 07:29:06 pm »
About the attach.txt, we can skip that for now.

About hijackthis, If you see the first screen below, then click the highlighted button. If you see the second screen below, click the highlighted button marked main menu, then the highlighted button in the first screenshot. That will get you the generate Startuplist log.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 24727
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #21 on: March 27, 2012, 07:29:43 pm »
It does not matter which order you run them in.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #22 on: March 27, 2012, 08:49:49 pm »
Thank you. I think that I got it:

StartupList report, 3/27/2012, 7:48:01 PM
StartupList version: 1.52.2
Started from : C:\Users\Bertrand\AppData\Local\Temp\Temp1_HijackThis-1.zip\HijackThis.EXE
Detected: Windows 7  (WinNT 6.00.3504)
Detected: Internet Explorer v9.00 (9.00.8112.16421)
* Using default options
==================================================

Running processes:

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Bertrand\AppData\Local\Temp\Temp1_HijackThis-1.zip\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 24727
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #23 on: March 27, 2012, 09:07:52 pm »
Is the computer running in safe mode?

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #24 on: March 27, 2012, 09:17:15 pm »
I don't think that it was in safe mode because the resolution on the screen appeared normal and the text didn't appear extra large. However, just before running hijackthis the computer froze up and I had to power it off manually. Therefore, it did not boot back up normally.

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #25 on: March 27, 2012, 09:26:23 pm »
I just did a normal shut down and start up and ran hijackthis again:

StartupList report, 3/27/2012, 8:24:32 PM
StartupList version: 1.52.2
Started from : C:\Users\Bertrand\AppData\Local\Temp\Temp2_HijackThis-1.zip\HijackThis.EXE
Detected: Windows 7  (WinNT 6.00.3504)
Detected: Internet Explorer v9.00 (9.00.8112.16421)
* Using default options
==================================================

Running processes:

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Bertrand\AppData\Local\Temp\Temp2_HijackThis-1.zip\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files (x86)\TRELLIAN\Toolbar\toolbar.dll - {24180B00-2EB6-11d7-BD6F-004854603DCE}
Somoto Toolbar - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll - {652853ad-5592-4231-88c6-706613a52e61}
(no name) - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (file missing) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06}
(no name) - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll - {9FDDE16B-836F-4806-AB1F-1455CBEFF289}
(no name) - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
URLRedirectionBHO - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL - {B4F3A835-0E21-4959-BA22-42B3008E02FF}
Google Dictionary Compression sdch - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E}

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #4: C:\Windows\system32\napinsp.dll
NameSpace #5: C:\Windows\system32\pnrpnsp.dll
NameSpace #6: C:\Windows\system32\pnrpnsp.dll
NameSpace #7: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
NameSpace #8: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
NameSpace #9: C:\Windows\system32\wshbth.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: *Registry key not found*

--------------------------------------------------
End of report, 3,952 bytes
Report generated in 0.171 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 24727
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #26 on: March 27, 2012, 09:45:11 pm »
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.





  • If an infected file is detected, the default action will be Cure, click on Continue.





  • If a suspicious file is detected, the default action will be Skip, click on Continue.





  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.





  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #27 on: March 27, 2012, 10:33:03 pm »
The system will not let me copy and paste the report (no issues were found).

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 24727
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #28 on: March 27, 2012, 11:03:05 pm »
* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix''s window while it''s running. That may cause it to stall

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline bertrgo

  • Bronze Member
  • Posts: 83
Re: [In Progress] Has OmniTech taken control of my security?
« Reply #29 on: March 27, 2012, 11:18:14 pm »
I'm going to proceed with Combofix in the morning. Thank you for all your help tonight.

Bert