1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

2 issues: tt1.tmp.vbs missing / "Spyware detected" desktop

Discussion in 'Windows - Virus and spyware problems' started by whiteshoe, Aug 12, 2008.

  1. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    The malwarebytes is promting me to restart,But I have the Hijackthis still up.I guess I need to wait before I restart?
     
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Stop HJT and restart..
     
  3. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    I got my desktop and screensaver settings back.Woo hooo.What do I need to do now 2oldGeek?
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @ Zoneblitz,


    1.) Fix entries using HiJackThis

    Launch HiJackThis
    Click the Do a system scan only button
    Put a check next to the entries listed below (if they still remain)

    O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe

    IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    Click the Fix checked button and close HiJackThis


    2.) Delete Files on Reboot

    Start Hijackthis
    Click on the Config button
    Click on the Misc Tools button
    Click on the button labeled Delete a file on reboot...
    A new window will open asking you to select the file that you would like to delete on reboot.
    Navigate to each file (in RED) and click on it once, and then click on the Open button.

    O4 - HKLM\..\Run: [octblido] C:\windows\system32\octblido.exe

    You will now be asked if you would like to reboot your computer to delete the file.
    Click on the Yes button if you are finished, otherwise click on the No button to continue entering files.


    after the reboot,
    Post me a fresh HijackThis Log…………….


    2OG
     
  5. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Did the Hijackthis scan again and it looks like I have 2 of those HKLM,one is a kernelfaultcheck and the other is a octblido.Want me to check both of them?
     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    NO, the other one is a good line...
     
  7. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    For some reason the word pad is not coming up to let me copy it like it did the 1st time.How do I get that up?
     
  8. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Nevermind I figured it out.I wasnt clicking the "Do a system scan and save a log file" Sorry about that

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:28:50 PM, on 8/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [octblido] %systemroot%\octblido.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

    --
    End of file - 3059 bytes
     
    Last edited: Aug 23, 2008
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @ Zoneblitz,

    You can find it here:

    C:\Program Files\Trend Micro\HijackThis\HijackThis.log

    just double click on it to open.
     
  10. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    I finally figured it out.Its above your post.Let me know.
     
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    I'm quite capable of figuring out where the posts are. Been doing this a long time.

    Did you delete that line??? It's still there. Delete it again and if it comes back, you may have a rootkit that's putting it back.

    let me know.
     
  12. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    ok I make it to the window that opens that reads "Enter File to delete on reboot"

    What do I do here?

    All I see in the box are
    Backups(when I open this one theres alot of stuff but I dont see anything in red)
    Hijackthis(this is the saved word pad document from this scan)
    Hijackthis(this is to run hijackthis)
     
  13. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    I’m really sorry, Zoneblitz, but I don’t have the time to give Basic Computer Literacy Classes.

    I’m not getting paid for this so my only suggestion is to get an older brother/sister that understands the basics of a computer to help you.

    When the 04 line is gone and the file associated with it has been deleted, you will be clean..

    Have a nice day,
    2OG
     
  14. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Let me make sure im going to the right place.When I double click HiJackThis from my desktop do I click the one that reads " None of the above just start the program"??You never said in your post so I was just guessing.Sorry for any inconvience ive caused you.
     
  15. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    When all else fails, try reading the instructions.

    When you get it, let me know..
     
  16. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    I cant figure it out.Been trying an hour now.

    I type this O4 - HKLM\..\Run: [octblido] C:\windows\system32\octblido.exe but it says not found.Myabe I cant find it because we deleted it already?

    Oh well thanks for your help.I really do appreciate it.


     
  17. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Have a few more simple questions for you since you are very knowlegable.

    1.Is the Bluejoke considered a virus?

    2.I pay money to mcafee every year for a antivirus program.Does having a antivirus really worth it?What really made me angry is i called them when I got this and they wanted to charge money to remove this.Mine expires in 2 months.Should I renew?

    3.After I got this I sent some people pictures via email.Is there any chance I might have gave them this bluejoke too?Just curious.

    Thanks in advance!!
     
  18. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    I am really busy right now but I will try to get back to you later and answer some or all of your questions. It may be tomorrow.

    hang in there. if you were able to delete that 04 line then you'll be ok and I can help you delete the file with an easier method.
     
  19. Zoneblitz

    Zoneblitz Member

    Joined:
    Aug 13, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    11
    Thanks again
     
  20. Oukeef

    Oukeef Member

    Joined:
    Aug 19, 2008
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    11
    2oldGeek, i really appreciate your help and was wondering if there was anything i could do to help you out. you helping me has inspired me to help others, i did well in school and was always decent with computers. i am now interested in helping others in removing malware from their computers and was wondering where you learned the info you know.
     

Share This Page