Hijacked Permissions

**rayben** · 2012-07-08, 02:04

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=6abd7d19f0fdea4e8dd4b096474fbff6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-07-07 11:48:18
# local_time=2012-07-07 06:48:18 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5121 16777213 100 75 1795582 5975580 0 0
# compatibility_mode=5893 16776574 66 85 24419391 93240334 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=300430
# found=32
# cleaned=0
# scan_time=8014
C:\Documents and Settings\rayh\Documents\Downloads\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\-PST_7.25\hacktherazr.com-PST_7.25.rar probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\pst-7.2.3.rar\pst-7[1].2.3.rar probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\PST_7.2.3_works\Motorola PST 7[1].2.3 Phone Programmer + PST UNI Patch.zip probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Video Converter\D2S122B3.zip Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Zone Alarm\zlsSetup_70_470_000_en.exe a variant of Win32/AdInstaller application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Old Buster\J2\My Documents\Downloads\Motorola\-PST_7.25\hacktherazr.com-PST_7.25.rar probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Old Buster\J2\My Documents\Downloads\Motorola\PST_7.2.3\Motorola PST 7[1].2.3 Phone Programmer + PST UNI Patch.zip probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Video Stuff\1cnet_streaming-video-recorder_full403_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Documents\Ray\Video Stuff\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Downloads\jZipV1.exe a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Downloads\winamp5581_full_emusic-7plus_en-us.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\rayh\Downloads\winamp561_full_emusic-7plus_en-us.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Downloads\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\-PST_7.25\hacktherazr.com-PST_7.25.rar probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\pst-7.2.3.rar\pst-7[1].2.3.rar probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\PST_7.2.3_works\Motorola PST 7[1].2.3 Phone Programmer + PST UNI Patch.zip probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Video Converter\D2S122B3.zip Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Zone Alarm\zlsSetup_70_470_000_en.exe a variant of Win32/AdInstaller application (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Old Buster\J2\My Documents\Downloads\Motorola\-PST_7.25\hacktherazr.com-PST_7.25.rar probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Old Buster\J2\My Documents\Downloads\Motorola\PST_7.2.3\Motorola PST 7[1].2.3 Phone Programmer + PST UNI Patch.zip probably a variant of Win32/Bifrose.LDPMWAT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Video Stuff\1cnet_streaming-video-recorder_full403_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Documents\Ray\Video Stuff\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Downloads\jZipV1.exe a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Downloads\winamp5581_full_emusic-7plus_en-us.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\rayh\Downloads\winamp561_full_emusic-7plus_en-us.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07012012_152325\C_Program Files (x86)\Searchqu Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07012012_152325\C_Program Files (x86)\Searchqu Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07012012_152325\C_Program Files (x86)\Searchqu Toolbar\Datamngr\IEBHO.dll a variant of Win32/Toolbar.SearchSuite application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07052012_103514\C_Program Files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07052012_103514\C_Program Files (x86)\StartNow Toolbar\Toolbar32.dll a variant of Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\07052012_103514\C_Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe a variant of Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I

**diver79** · 2012-07-08, 16:16

Hi rayben,

Run OTL Script
We need to run an OTL Fix

Right click OTL.exe and select Run as Administrator to start the program.

Copy and Paste the following code into the

textbox. Do not include the word Code

Code:

:files
C:\Users\rayh\Documents\Downloads\winamp5621_full_emusic-7plus_all.exe
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\-PST_7.25\hacktherazr.com-PST_7.25.rar
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\pst-7.2.3.rar\pst-7[1].2.3.rar	
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\PST_7.2.3_works\Motorola PST 7[1].2.3 Phone Programmer + PST UNI Patch.zip
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Video Converter\D2S122B3.zip
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Zone Alarm\zlsSetup_70_470_000_en.exe
C:\Users\rayh\Documents\Ray\Old Buster\J2\My Documents\Downloads\Motorola\-PST_7.25\hacktherazr.com-PST_7.25.rar
C:\Users\rayh\Documents\Ray\Old Buster\J2\My Documents\Downloads\Motorola\PST_7.2.3\Motorola PST 7[1].2.3 Phone Programmer + PST UNI Patch.zip
C:\Users\rayh\Documents\Ray\Video Stuff\1cnet_streaming-video-recorder_full403_exe.exe
C:\Users\rayh\Documents\Ray\Video Stuff\winamp5621_full_emusic-7plus_all.exe
C:\Users\rayh\Downloads\jZipV1.exe
C:\Users\rayh\Downloads\winamp5581_full_emusic-7plus_en-us.exe
C:\Users\rayh\Downloads\winamp561_full_emusic-7plus_en-us.exe
:commands
[EMPTYTEMP]
[CREATERESTOREPOINT]

Then click the Run Fix button at the top.
Click .
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Remove Out of date Programs

The following programs installed on your PC are out of date and represent a significant risk of re-infection.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.1
Java(TM) 6 Update 31
Click on Start...then... Click the Search Programs and Files search box on the Start Menu.
Copy and paste the value below, into the open text entry box:
appwiz.cpl
Locate the out of date program(s) above.
Select the program and click on Uninstall to uninstall it.
Please also uninstall jZip. It appears to be bundled with the searchqu infection you had.
Repeat these steps for each program in the list. When finished... Close the Control Panel window.

You can get up to date versions of the programs you removed using the links below.
http://get.adobe.com/flashplayer/
http://get.adobe.com/reader/
http://java.com/en/download/index.jsp

Security Check

Please download Security Check by screen317 from one of the links below:
- Link 1
- Link 2
Save it to your Desktop.
Right click SecurityCheck.exe And select " Run as administrator " , then follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt
Please post the contents of that document.

Let me know if you still have any issues in your next post.

diver.

**rayben** · 2012-07-08, 21:05

OTL Fix

All processes killed
========== FILES ==========
C:\Users\rayh\Documents\Downloads\winamp5621_full_emusic-7plus_all.exe moved successfully.
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\-PST_7.25\hacktherazr.com-PST_7.25.rar moved successfully.
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\pst-7.2.3.rar\pst-7[1].2.3.rar moved successfully.
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Motorola Mobile\PST_7.2.3_works\Motorola PST 7[1].2.3 Phone Programmer + PST UNI Patch.zip moved successfully.
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Video Converter\D2S122B3.zip moved successfully.
C:\Users\rayh\Documents\Ray\Old Buster\Buster My Documents\Download\Zone Alarm\zlsSetup_70_470_000_en.exe moved successfully.
C:\Users\rayh\Documents\Ray\Old Buster\J2\My Documents\Downloads\Motorola\-PST_7.25\hacktherazr.com-PST_7.25.rar moved successfully.
C:\Users\rayh\Documents\Ray\Old Buster\J2\My Documents\Downloads\Motorola\PST_7.2.3\Motorola PST 7[1].2.3 Phone Programmer + PST UNI Patch.zip moved successfully.
C:\Users\rayh\Documents\Ray\Video Stuff\1cnet_streaming-video-recorder_full403_exe.exe moved successfully.
C:\Users\rayh\Documents\Ray\Video Stuff\winamp5621_full_emusic-7plus_all.exe moved successfully.
C:\Users\rayh\Downloads\jZipV1.exe moved successfully.
C:\Users\rayh\Downloads\winamp5581_full_emusic-7plus_en-us.exe moved successfully.
C:\Users\rayh\Downloads\winamp561_full_emusic-7plus_en-us.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: rayh
->Temp folder emptied: 8647589 bytes
->Temporary Internet Files folder emptied: 310595 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 266522035 bytes
->Google Chrome cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 619 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7904 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 34882 bytes
RecycleBin emptied: 380 bytes

Total Files Cleaned = 263.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.53.0 log created on 07082012_125520

Files\Folders moved on Reboot...
C:\Users\rayh\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\rayh\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

Security Check

Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee Anti-Virus and Anti-Spyware
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.61.0.1400
Mozilla Firefox (13.0.1)
Mozilla Thunderbird (13.0.1)
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Spybot Teatimer.exe is disabled!
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

My remaining issues are:

I may have inadvertently added administrator as a log in. Originally there was only Ray & Alice log in. I really don't want a separate administrator account.

I'm not sure rayh is the sole administrator. I share this computer with my wife. we use the same login

I still have a desktop folder with the original contents but my desktop is clear. I would like to know how to fix that if we decide not to leave it clear. An uncluttered desktop is very pleasing

I would like to know how to avoid the problems I've had in the future. Mcafee doesn't catch anything and never has on any of it's weekly scans. Would you suggest the tools and habits most effective in staying out of trouble?

I really appreciate what you have done and have been very impressed with the tools we have been using and the expert guidance I've been receiving.

Thanks
rayh

**diver79** · 2012-07-08, 22:16

I may have inadvertently added administrator as a log in. Originally there was only Ray & Alice log in. I really don't want a separate administrator account.

See instructions below for disabling the built in admin account.

Open the Start menu, and type lusrmgr.msc in the search line and press Enter.
Expand the Users folder in the left hand pane.
Right click on the Administrator user and select Properties.
Place a check in the Account is disabled checkbox and click the OK button.

I'm not sure rayh is the sole administrator. I share this computer with my wife. we use the same login

The rayh account does appear to have admin access. i would leave things the way they are once you disable the administrator account.

I still have a desktop folder with the original contents but my desktop is clear. I would like to know how to fix that if we decide not to leave it clear. An uncluttered desktop is very pleasing

OK, it sounds like an infection has hidden these files. Run the tool below and let me know if you get them back.
Unhide.exe
Please download Unhide.exe and save it to your Desktop.

Right-click on the Unhide.exe and select " Run as administrator " to run it.
This program will remove the +H, or hidden, attribute from all the files on your hard drives.
Please note that this will unhide files that are purposely hidden.

I would like to know how to avoid the problems I've had in the future. Mcafee doesn't catch anything and never has on any of it's weekly scans. Would you suggest the tools and habits most effective in staying out of trouble?

No Anti-Virus application can offer 100% protection from infection. Malware writers are constantly refining the techniques they use to infect a system. It is somewhat of a re-active process. Ultimately you are the biggest line of defence from infection. Safe browsing habits will go a long way to ensure you steer clear of malware. See this post for further information

I really appreciate what you have done and have been very impressed with the tools we have been using and the expert guidance I've been receiving.

Thank you, your most welcome.

The securitycheck log shows that you are using an out of date version of Internet Explorer. You should update to the latest version using Windows Update.

Let me know if the admin account issue and hidden desktop icons are resolved in your next reply. If so I will give the all clean and have this topic closed.

**rayben** · 2012-07-09, 14:34

Just a couple small issues left:

I'm still getting that message from User Account Control on start up to allow FWUPDATE.exe. Location "C:\Program Files (x86) g-fwupdate.exe" birun.
This doesn't seem normal. I'm not sure whether I should allow or not.

One other small issue is that when I download a file it used to ask me where to place the file. I see the dialog box flash on the screen but it always proceeds to the same location. I would like to get back to where I determine the location for my downloads.

Last but not least it would be valuable to me to have a copy or access to these five pages of interchanges between us. Can I save a copy of these conversations between us because there is a lot of valuable information I have not been able to thoroughly review like I'd like?

Again thank you very much. My problems seem to be resolved and I am very happy with the service you guys have provided.

rayben

**diver79** · 2012-07-10, 00:08

Hi rayben,

You can allow the FWUPDATE.exe prompt to continue. It is looking to check for updates for your cd-rom firmware.

let me know what browser you use so I can help you fix the download issue.

You can save the information on these pages by using your browsers Save as function or by just copying the text on each page. You will however always be able to access this topic, even after it is closed.

Looks like we are all set here, cleanup instructions below.

Congratulations your PC is now feee from infection 8) Follow the below steps to cleanup the tools we have used and tighten your systems security.

Clear infected restore points
We need to run an OTL Fix

Right click OTL.exe and select Run as Administrator to start the program.
Copy and Paste the following code into the textbox. Do not include the word Code
Code:
```
:commands
[CLEARALLRESTOREPOINTS]
[REBOOT]
```
Then click the Run Fix button at the top.
Click .
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Clean up with OTL

Right click OTL.exe and select Run as Administrator to start the program. This will remove all the tools we used to clean your pc.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.

Additional Security Tips.
Update your Antivirus programs and other programs regularly.
Secunia Personal Software Inspector - Copyright © Secunia. This app will monitor programs on your computer for known vulnerabilities. You can set it to auto-update for you, or just prompt you if an update is available. I highly recommend it.
F-secure Health Check - Copyright © F-Secure Corporation. F-Secure Health Check is a free application that tells you if your computer is protected and helps you fix possible security issues.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update > Check for updates.
To update Office
Open up any Office program.
Go to Help > Check for Updates

Read, stay informed.
To help minimize the chances of becoming re-infected, please read.
So how did I get infected in the first place?

Please let me know that you completed the cleanup steps. Once I receive your reply, unless there are other malware questions or concerns, I will have this topic closed as resolved.

**rayben** · 2012-07-10, 23:49

Hello,
I have completed the cleanup steps.
The cleanup of my computer has been a truly positive experience with you guys.

Thank You Very Much
rayben

Thread: Hijacked Permissions

Thread Tools

Display

Hybrid View

ESET online scanner

last issues

Posting Permissions