Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Search-Daily haunts me - please help! [RESOLVED]

Started by Twistie , Dec 31 2007 12:22 AM

  • This topic is locked This topic is locked

#16
sage5
Posted 12 January 2008 - 06:46 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi Twistie,

The "f" word (format) is still a long way off in the distance at this stage.

Let's just try another method.

Please download the following and save to your Desktop:
ComboFix

Run ComboFix:
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Cheers,

sage5
  • 0

Advertisements

#17
Twistie
Posted 13 January 2008 - 04:39 PM

Twistie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Heya Sage, WOW, combofix got rid of those pesky files. And so refreshing!! My internet now goes, without any delay or hesitation to the destination I ask it, aaaaaah, such relief!!


Here are the logs:

COMBOFIX:

ComboFix 08-01-14.1 - Sharyn 2008-01-13 13:27:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.259 [GMT -9:00]
Running from: C:\Documents and Settings\Sharyn\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3.tmp
C:\4.tmp
C:\WINDOWS\fnts~1
C:\WINDOWS\system32\comdlg32p.dll
C:\WINDOWS\system32\comreplp.dll
C:\WINDOWS\system32\drivers\cduqprxh.dat
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\wnstssv32.exe
C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HCAAXOUP
-------\LEGACY_JKYYQJDD
-------\LEGACY_POOF
-------\hcaaxoup
-------\jkyyqjdd


((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 13:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 18:12 . 2008-01-11 18:12 741,632 --a------ C:\WINDOWS\system32\xoxchvsn.dat
2008-01-11 18:12 . 2008-01-11 18:12 120,576 --a------ C:\WINDOWS\system32\aruwkcyi.dat
2008-01-11 18:12 . 2008-01-11 18:12 42,240 --a------ C:\WINDOWS\system32\yfaopypm.dat
2008-01-11 18:12 . 2008-01-11 18:12 36,608 --a------ C:\WINDOWS\system32\muxhxwrb.dat
2008-01-11 18:12 . 2008-01-11 18:12 35,072 --a------ C:\WINDOWS\system32\thjhaxya.dat
2008-01-04 21:08 . 2008-01-04 21:08 <DIR> d-------- C:\Documents and Settings\Sharyn\Application Data\Watchtower
2008-01-01 11:16 . 2008-01-01 11:16 <DIR> d-------- C:\Documents and Settings\Sharyn\Application Data\Comodo
2008-01-01 11:16 . 2008-01-01 11:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-01-01 02:08 . 2008-01-01 02:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-01 02:04 . 2008-01-02 18:41 <DIR> d-------- C:\Program Files\Comodo
2008-01-01 01:39 . 2007-03-14 01:04 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-31 18:00 . 2007-12-31 18:00 <DIR> d-------- C:\Deckard
2007-12-30 10:35 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 09:47 . 2008-01-14 13:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 09:47 . 2008-01-14 13:32 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-30 09:46 . 2007-12-30 09:46 0 --a------ C:\WINDOWS\system32\QuickTime.qtp
2007-12-29 13:09 . 2007-12-29 13:09 <DIR> d-------- C:\VundoFix Backups
2007-12-29 11:59 . 2007-12-30 10:42 <DIR> d-------- C:\Documents and Settings\Sharyn\.housecall6.6
2007-12-22 20:56 . 2007-12-22 20:56 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-12-22 16:02 . 2007-12-22 16:02 <DIR> d-------- C:\Documents and Settings\Sharyn\Application Data\Yahoo!
2007-12-21 17:56 . 2007-12-22 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 03:28 --------- d-----w C:\Documents and Settings\Sharyn\Application Data\MSN6
2008-01-01 10:39 --------- d-----w C:\Program Files\Java
2007-12-23 05:21 --------- d-----w C:\Program Files\Yahoo!
2007-12-02 23:39 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-02 23:39 246,545 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-12-02 23:39 1,188,375 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-11-30 03:12 --------- d-----w C:\Program Files\AOL Games
2007-11-30 03:06 --------- d-----w C:\Program Files\Bookworm Deluxe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.exe" [2003-06-17 14:43 208896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-17 13:24 77824]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-01-26 10:46 53248]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-09-30 14:44 7957504]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 21:29 32768]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 04:50 73728]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 06:40 430080]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-17 17:29 7700480]

S3 pnicml;pnicml;C:\DOCUME~1\Sharyn\LOCALS~1\Temp\pnicml.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\run_cdviewer.exe

*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 12:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert.SharynWRuns AdwareAlert to scan your computer for malicious and potenially unwanted programs.
"2008-01-12 11:20:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 13:32:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\AppCert\prx93f_.dll
.
Completion time: 2008-01-14 13:34:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 22:34:23



HIJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 1:37:07 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sharyn\Desktop\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)






Sage, You ROCK, thanks soooo much for taking all this time to fix my computer, I will definately be recommending this site to others!!

Twistie :)

Edited by Twistie, 13 January 2008 - 04:51 PM.

  • 0

#18
sage5
Posted 13 January 2008 - 06:07 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi Twistie,

Nearly done,

Run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\xoxchvsn.dat
C:\WINDOWS\system32\aruwkcyi.dat
C:\WINDOWS\system32\yfaopypm.dat
C:\WINDOWS\system32\muxhxwrb.dat
C:\WINDOWS\system32\thjhaxya.dat
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Run another Online Scan:
Disable your antivirus program while running this scan.
  • Open Internet Explorer, type http://www.eset.eu/online-scanner in the Address Bar & hit Enter to go to ESET Online Scanner
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start
    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button
    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

Try to run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 2 text files will open in Notepad.
  • Close both of the text files.
These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Also include the text from the C:\Program Files\EsetOnlineScanner\log.txt


The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.


Cheers,

sage5
  • 0

#19
Twistie
Posted 13 January 2008 - 09:43 PM

Twistie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here are the scans:



OMOVEIT:

C:\WINDOWS\system32\xoxchvsn.dat moved successfully.
C:\WINDOWS\system32\aruwkcyi.dat moved successfully.
C:\WINDOWS\system32\yfaopypm.dat moved successfully.
C:\WINDOWS\system32\muxhxwrb.dat moved successfully.
C:\WINDOWS\system32\thjhaxya.dat moved successfully.

Created on 01142008_172816



ESET:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2788 (20080113)
# vers_arch_module=1.061 (20080110)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=300b9f37726c364faace351a56f449c2
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-01-15 03:14:07
# local_time=2008-01-14 06:14:07 (-0900, Alaskan Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=219850
# found=33
# scan_time=2173
C:\14.tmp a variant of Win32/TrojanDownloader.PurityScan trojan 2A38239859E35060827003C76E712A27
C:\14.tmp »NSIS »Yazzle1552OinAdmin.exe a variant of Win32/TrojanDownloader.PurityScan trojan 00000000000000000000000000000000
C:\15.tmp Win32/TrojanDownloader.Agent.NPG trojan 4B947FC727F1B7995D587396AA3FC3A7
C:\Deckard\System Scanner\20071231180315\backup\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe Win32/Adware.AVSystemCare application 18AE02995AA8A18C64E6D2B47E1FBAD0
C:\Documents and Settings\Sharyn\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-2923e8ea multiple infiltrations DE2C8BA9DF15911E2931B013C5CE5628
C:\Documents and Settings\Sharyn\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-2923e8ea »ZIP »BnnnnBaa.class Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Sharyn\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-2923e8ea »ZIP »VaannnaaBaa.class Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Sharyn\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-2923e8ea »ZIP »Dnnny.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Sharyn\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-2923e8ea »ZIP »Bnnnnn.class Java/ClassLoader.AS trojan 00000000000000000000000000000000
C:\Documents and Settings\Sharyn\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-2923e8ea »ZIP »Den.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Sharyn\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-2923e8ea »ZIP »Din.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Sharyn\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-2923e8ea »ZIP »Dun.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Sharyn\Desktop\hijackthis\backups\backup-20071230-210945-411.dll Win32/TrojanClicker.Delf.NAZ trojan 8C88D1AA4C47F69C21911A2BDFA5E15F
C:\Documents and Settings\Sharyn\Desktop\hijackthis\backups\backup-20071230-210945-581.dll Win32/BHO.AGZ trojan F60DA107654DE79BCE53BB9428466D46
C:\Documents and Settings\Sharyn\Desktop\hijackthis\backups\backup-20080101-013822-533.dll Win32/BHO.AGZ trojan F60DA107654DE79BCE53BB9428466D46
C:\Documents and Settings\Sharyn\Desktop\hijackthis\backups\backup-20080101-013823-833.dll Win32/TrojanClicker.Delf.NAZ trojan 8C88D1AA4C47F69C21911A2BDFA5E15F
C:\Documents and Settings\Sharyn\Desktop\hijackthis\backups\backup-20080101-150218-256.dll Win32/TrojanClicker.Delf.NAZ trojan 8C88D1AA4C47F69C21911A2BDFA5E15F
C:\Documents and Settings\Sharyn\Desktop\hijackthis\backups\backup-20080101-150218-588.dll Win32/BHO.AGZ trojan F60DA107654DE79BCE53BB9428466D46
C:\Documents and Settings\Sharyn\Desktop\hijackthis\backups\backup-20080111-180429-398.dll Win32/TrojanClicker.Delf.NAZ trojan 8C88D1AA4C47F69C21911A2BDFA5E15F
C:\Documents and Settings\Sharyn\Desktop\hijackthis\backups\backup-20080111-180429-543.dll Win32/BHO.AGZ trojan F60DA107654DE79BCE53BB9428466D46
C:\QooBox\Quarantine\catchme2008-01-14_133219.09.zip multiple infiltrations A486030B5A128BD03EBC526A35BDBB15
C:\QooBox\Quarantine\catchme2008-01-14_133219.09.zip »ZIP »kprof Win32/TrojanProxy.Wopla.NAC trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-01-14_133219.09.zip »ZIP »koos.exe Win32/TrojanProxy.Wopla.NAC trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-01-14_133219.09.zip »ZIP »poof Win32/TrojanProxy.Wopla.NAC trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-01-14_133219.09.zip »ZIP »comreplp.dll Win32/TrojanClicker.Delf.NAZ trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-01-14_133219.09.zip »ZIP »cduqprxh.dat Win32/Agent.NOU trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-01-14_133219.09.zip »ZIP »comdlg32p.dll Win32/BHO.AGZ trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\C\3.tmp.vir a variant of Win32/TrojanDownloader.PurityScan trojan 2A38239859E35060827003C76E712A27
C:\QooBox\Quarantine\C\3.tmp.vir »NSIS »Yazzle1552OinAdmin.exe a variant of Win32/TrojanDownloader.PurityScan trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\C\4.tmp.vir Win32/TrojanDownloader.Agent.NPG trojan 4B947FC727F1B7995D587396AA3FC3A7
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe Win32/Adware.AVSystemCare application 18AE02995AA8A18C64E6D2B47E1FBAD0
C:\WINDOWS\system32\AppCert\wsil32.dll Win32/Agent.NNJ trojan 388850ABCE7AA715D9D5FBC7C9A61180
C:\_OTMoveIt\MovedFiles\01012008_014526\WINDOWS\system32\~.exe probably a variant of Win32/TrojanDownloader.Murlo trojan 390F953D2A6AE3DE5D8DBF235CF2925A
  • 0

#20
Twistie
Posted 13 January 2008 - 09:46 PM

Twistie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
DECKARD: Main.txt (this one opened, I'm not sure where to get Extra.txt)


Deckard's System Scanner v20071014.68
Run by Sharyn on 2008-01-14 18:44:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Sharyn.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:44:40 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Documents and Settings\Sharyn\Desktop\dss.exe
C:\DOCUME~1\Sharyn\Desktop\HIJACK~1\Sharyn.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)


-- Files created between 2007-12-14 and 2008-01-14 -----------------------------

2008-01-14 17:30:34 0 d-------- C:\Program Files\EsetOnlineScanner
2008-01-04 21:08:49 0 d-------- C:\Documents and Settings\Sharyn\Application Data\Watchtower
2008-01-02 18:44:25 0 d-------- C:\bfu
2008-01-01 11:16:39 0 d-------- C:\Documents and Settings\Sharyn\Application Data\Comodo
2008-01-01 11:16:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-01-01 02:08:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-01 02:04:38 0 d-------- C:\Program Files\Comodo
2007-12-29 13:09:29 0 d-------- C:\VundoFix Backups
2007-12-29 11:59:05 0 d-------- C:\Documents and Settings\Sharyn\.housecall6.6
2007-12-22 20:56:19 0 d-------- C:\Program Files\microsoft frontpage
2007-12-22 20:53:04 0 d-------- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Application Data\ACD Systems
2007-12-22 20:40:23 0 d--h----- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Templates
2007-12-22 20:40:23 0 dr------- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Start Menu
2007-12-22 20:40:23 0 dr-h----- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\SendTo
2007-12-22 20:40:23 0 d--h----- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Recent
2007-12-22 20:40:23 0 d--h----- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\PrintHood
2007-12-22 20:40:23 786432 --ah----- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\NTUSER.DAT
2007-12-22 20:40:23 0 d--h----- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\NetHood
2007-12-22 20:40:23 0 d-------- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\My Documents
2007-12-22 20:40:23 0 d--h----- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Local Settings
2007-12-22 20:40:23 0 d-------- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Favorites
2007-12-22 20:40:23 0 d-------- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Desktop
2007-12-22 20:40:23 0 d---s---- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Cookies
2007-12-22 20:40:23 0 dr-h----- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Application Data
2007-12-22 20:40:23 0 d---s---- C:\Documents and Settings\Administrator.SHARYN-X4M9WH2N\Application Data\Microsoft
2007-12-22 20:20:41 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-12-22 20:18:00 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-22 20:18:00 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-22 20:17:59 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-22 20:17:59 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-22 20:17:59 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-22 20:17:59 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-12-22 20:17:59 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-22 20:17:59 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-22 20:17:59 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-22 20:17:59 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-12-22 20:17:59 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-22 20:17:59 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-12-22 20:17:59 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-22 20:17:59 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-12-22 16:02:50 0 d-------- C:\Documents and Settings\Sharyn\Application Data\Yahoo!
2007-12-21 17:56:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-01-02 18:28:59 0 d-------- C:\Documents and Settings\Sharyn\Application Data\MSN6
2008-01-01 01:39:17 0 d-------- C:\Program Files\Java
2007-12-22 20:25:21 0 d-------- C:\Program Files\Common Files
2007-12-22 20:21:06 0 d-------- C:\Program Files\Yahoo!
2007-12-02 14:39:43 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-02 14:39:43 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-11-29 18:12:02 0 d-------- C:\Program Files\AOL Games
2007-11-29 18:06:46 0 d-------- C:\Program Files\Bookworm Deluxe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.exe" [06/17/2003 02:43 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/17/2006 01:24 PM]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [01/26/2004 10:46 AM]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [09/30/2004 02:44 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [06/28/2004 09:29 PM]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [09/14/2005 04:50 AM]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [10/21/2005 06:40 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 02:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 02:43 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/17/2006 05:29 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\run_cdviewer.exe

*Newly Created Service* - HTTPFILTER



-- End of Deckard's System Scanner: finished at 2008-01-14 18:44:56 ------------
  • 0

#21
sage5
Posted 14 January 2008 - 06:53 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi Twistie,

Last files to delete:

Re run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\14.tmp
C:\15.tmp
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\system32\AppCert\wsil32.dll
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Your log shows you are not running Anti-virus or Firewall software.
These are essential items and need to be loaded before we can continue fixing your PC.

I have listed a couple of free versions of both. Please download and install 1 Anti-virus and 1 Firewall.

Firewalls: Please install one only.
Comodo Firewall Pro or Sunbelt Personal Firewall

Anti-virus: Please install one only:
Avast! Free Edition or AntiVir PersonalEdition Classic

Anti-Virus Tutorials/Manuals:
Avast Tutorial
Avast Manual
Antivir Manual

Please allow the new Anti-virus to run a full System scan, and at the end of the process you should be able to save a scan log.
If the scan report window does not have a Save as Repot Button (or similar), you may be able to highlight the text in the window & copy & paste it to a new Notepad file.
Save it as C:\avscan.txt if you can.

I need you to post me a fresh HijackThis log to confirm correct installation of the Anti-virus and Firewall programs.

Run HijackThis:
  • Select the Run a system scan and save a logfile option. The logfile opens in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
  • Also paste me the text from C:\avscan.txt

Cheers,

sage5
  • 0

#22
Twistie
Posted 14 January 2008 - 02:33 PM

Twistie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hey Sage,

Here is my MOVEIT log:

C:\14.tmp moved successfully.
C:\15.tmp moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\AppCert\wsil32.dll
C:\WINDOWS\system32\AppCert\wsil32.dll NOT unregistered.
C:\WINDOWS\system32\AppCert\wsil32.dll moved successfully.

Created on 01152008_113054


I did install Comodo Firewall and Antivir last time you asked however, Comodo would not let me access the internet so I uninstalled it. I have the Windows Firewall active. Is this not enough? As for Antivir, it keep having those little spasms and beeping at me about my infection but could not delete it and it was so irritating that I uninstalled that too. I bought McAfee antivirus program some time ago, do you think this will be OK?

Thanks :)

Edited by Twistie, 14 January 2008 - 02:34 PM.

  • 0

#23
sage5
Posted 15 January 2008 - 07:21 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi Twistie,

Right, so that should be the last of the infection cleared.
Now on to your Questions:

I did install Comodo Firewall and Antivir last time you asked however, Comodo would not let me access the internet so I uninstalled it. I have the Windows Firewall active. Is this not enough?



In my opinion No.
The native Windows Firewall is notoriously poor at stopping/analysing outbound traffic, especially the types generated by
a) Trojans trying to download other malware.
b) Keyloggers calling "home" with potentially dangerous information from your PC (credit card/bank account details)
c) Malware reporting surfing habits.
It does a passable job at blocking inbound hacking, but not as good at "stealthing" (hiding) ports as many others, like Comodo, Sygate etc.

As for Antivir, it keep having those little spasms and beeping at me about my infection but could not delete it and it was so irritating that I uninstalled that too. I bought McAfee antivirus program some time ago, do you think this will be OK?


I use AntiVir myself & would far rather have an AV warn me of an infection than do nothing about it.
It also outscores McAffee in most areas at Here & Here
Ultimately the choice is yours, but I would like to see 1 antivirus & 1 firewall installed in the next HijackThis log you send me.

Cheers,

sage5
  • 0

#24
Twistie
Posted 16 January 2008 - 07:11 PM

Twistie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
I installed Avira and Comodo as you asked. By the way, what is Windows Defender?


Here is my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:09:55 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Sharyn\Desktop\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
  • 0

#25
sage5
Posted 17 January 2008 - 02:37 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi Twistie

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.


Windows Defender is Microsoft's Anti-spyware application
I am not a huge fan, but others like it. Given that your copy does not seem to be operational, I would get rid fo it via the Add/Remove Programs window.

In an earlier log you asked about Windows Installer 3.1.
This is an update to the standard Windows Installer that is used by a lot of progams.
Do not remove this one.

Now, on with the last housekeeping jobs & you can be on your way.

Clean out cookies, temp files etc:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Cleanup with OTMoveIt:
  • Please double-click OTMoveIt2.exe to run it.
  • Click the Clean up button
  • Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • Click Yes to the reboot.


To Clear Restore points, please do the following:
  • Go to Start > Settings > Control Panel.
  • Double-click the System icon.
    • NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.
  • Click the System Restore tab.
  • Put a check by Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.
After reboot, you must turn System Restore back on:
  • Go back to the System Restore tab.
  • UNcheck Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.

Lastly, some extra or better security for your PC:

The programs recommended below are freeware alternatives to some of your security software & might reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
AVG Anti-Spyware is my favourite here.

Anti-Virus:
The first line of defence, especially since some will now detect trojans as well.
Avira's Antivir PersonalEdition Classic and Grisoft's Avast! Free Edition are among the best freebies.
*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet.
Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
It is equally important to update the other security software you use, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best & safe surfing in the future,

sage5
  • 0

Advertisements

#26
Twistie
Posted 19 January 2008 - 04:14 PM

Twistie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Aaaah, so nice to have control back. Thank you so much Sage, have a great year!!
  • 0

#27
sage5
Posted 19 January 2008 - 07:03 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
You are very welcome Twistie,

All the best,

sage5
  • 0

#28
sage5
Posted 19 January 2008 - 07:04 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP