Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Two trojans, possibly more. One hijacks browser searches


  • Please log in to reply

#1
Ganryu

Ganryu

    Member

  • Member
  • PipPip
  • 13 posts
I'm suffering from two trojan infections.

1: One has two possible names. It is called either Jword or CnsMin. I cannot google for this name because all sites i find are extremely suspicious. It seems harmless and i think the purpose is to actually help with something when searching in either japanese or chinese, but it was forcefully installed against my will when installing support for chinese in XP on this machine a while ago. It cannot be removed normally as it just reinstalls itself at startup. It even creates a start menu entry.

2: The other one struck me quite recently and it is highly critical for me especially since it was originally only slightly annoying but is now turning into a complete browser-destructor. What it does is that it replaces the top search hits in any search engine (and any browser, i use Firefox normally but it strikes both Firefox and IE) with some fake links. Here is a screenshot. Observe that none of the urls shown match with the actual website (which should be www.slashdot.org) and how it seems to maintain the original TEXT of the hit making it actually look like a legitimate site.

http://i6.photobucke...wsertrouble.jpg

Anyway. Hijackthis log time:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:52:33, on 2009-01-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\MiniProgram\AdAware 2008\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\MiniProgram\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Temporary Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program\InterVideo\Common\Bin\WinRemote.exe
C:\Program\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\MiniProgram\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
C:\Temporary Programs\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Temporary Programs\sysreset\mirc.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\MiniProgram\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\MiniProgram\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WINREMOTE] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\MiniProgram\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\Program\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [Eraser] C:\Temporary Programs\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...erInstaller.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} - http://www.clickteam...e3/vitalize.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\MiniProgram\AdAware 2008\aawservice.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\MiniProgram\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Temporary Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 10086 bytes

Thanks for the help
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay, I would like a fresh look at your system

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All Users
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EventViewer Errors/Warnings (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
Ganryu

Ganryu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks for the reply. Now i might actually have this machine clean before tuesday! (hopefully)

There were two logs.
CatchMe.log (this one could not be uploaded)
OTScanIt.txt (this was uploaded)

Attached Files


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Not a great deal showing there and no evidence of a rootkit. Do you know what this folder is as my tools cannot translate it %ProgramFiles%\“Œ•û•¶‰Ô’Ÿ

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> _detmp.2 -> %SystemRoot%\_detmp.2
NY -> _detmp.1 -> %SystemRoot%\_detmp.1
NY -> 1116d7277f93f9472b83 -> %SystemDrive%\1116d7277f93f9472b83
NY -> 9e2500133df8c2bc46db27414675e8 -> %SystemDrive%\9e2500133df8c2bc46db27414675e8
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#5
Ganryu

Ganryu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
The directory with the suspicious name %ProgramFiles%\“Œ•û•¶‰Ô’Ÿ is actually a game. The folder name is in japanese that messed up.

No trouble arose from running combofix, though it interestingly enough did not prompt me to install Microsoft Windows Recovery Console so i assume that was already installed a while ago.

Interestingly enough i noticed that it removed THIS file c:\windows\system32\wdmaud.sys that was mentioned in another thread by someone who had a similar problem. I notice that i can now use search normally. JWord seems to still be on the machine.

Attached Files


  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

I notice that i can now use search normally. JWord seems to still be on the machine.

This appears to be a java script word type programme for Japanese there is some information here and it looks as though it is exceedingly difficult to remove

The Combofix log looked good and there does not appear to be any other malware to remove

So what is the current state of your computer ?
  • 0

#7
Ganryu

Ganryu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
The current state is that it is working. I can now search in google etc. etc without any trouble whatsoever. I would still like this jword thing removed, though.
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I will clear my tools and see if I can find a resolution for thsi

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I have found the files that it drops onto the system some of these will not exist on your system



Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:\windows\downloaded program files\cnsmin.dll]
    
    :Files
    %INTERNET_CACHE%\content.ie5\3643RHGX\CnsMinIdn[1].cab
    %PROGRAM_FILES%\INASOFT\SDEFRAG\CnsMin.dll
    %WINDOWS%\Downloaded Program Files\CnsMinSV.dll
    %WINDOWS%\Downloaded Program Files\CnsMinSV.dll_tobedeleted
    %WINDOWS%\Downloaded Program Files\idnlite.dll
    %WINDOWS%\downloaded program files\jword.ico
    %WINDOWS%\downloaded program files\jwordhot.ico
    %WINDOWS%\DOWNLO~1\CnsMinSV.dll
    %WINDOWS%\DOWNLO~1\idnlite.dll
    %PROFILE%\recent\jword plugin.lnk
    %PROGRAMS%\japanese keywords\about japanese keyword.url
    %PROGRAMS%\japanese keywords\japanese keyword setting.url
    %PROGRAMS%\japanese keywords\uninstall.lnk
    
    :Commands
    [purity]
    [emptytemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  • 0

#10
Ganryu

Ganryu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you. This seems to be doing wonders :)
I also simply manually deleted the install directory for jWord and it hasn't reinstalled itself. It used to just reappear and reappear. Maybe the CnsMin that was previously deleted is the component that reinstalls jWord.

Here's the log

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:\windows\downloaded program files\cnsmin.dll\\ not found.
========== FILES ==========
Invalid Environment Variable: INTERNET_CACHE
Invalid Environment Variable: PROGRAM_FILES
Invalid Environment Variable: WINDOWS
Invalid Environment Variable: WINDOWS
Invalid Environment Variable: WINDOWS
Invalid Environment Variable: WINDOWS
Invalid Environment Variable: WINDOWS
Invalid Environment Variable: WINDOWS
Invalid Environment Variable: WINDOWS
Invalid Environment Variable: PROFILE
Invalid Environment Variable: PROGRAMS
Invalid Environment Variable: PROGRAMS
Invalid Environment Variable: PROGRAMS
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_GAR~1\LOKALA~1\Temp\fla1A94.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_GAR~1\LOKALA~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_f38.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\fzsrrstk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\fzsrrstk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\fzsrrstk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\fzsrrstk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01052009_222436

Files moved on Reboot...
File C:\DOCUME~1\HP_GAR~1\LOKALA~1\Temp\fla1A94.tmp not found!
C:\DOCUME~1\HP_GAR~1\LOKALA~1\Temp\hpodvd09.log moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_f38.dat not found!
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\fzsrrstk.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\fzsrrstk.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\fzsrrstk.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\fzsrrstk.default\Cache\_CACHE_MAP_ moved successfully.
  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
So has it gone ?
  • 0

#12
Ganryu

Ganryu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yes. I find no traces of infection whatsoever.
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I will monitor this for the next day or so to be sure :)
  • 0

#14
Ganryu

Ganryu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
If you're planning on locking it, please don't. I will be unable to use this computer for the next two weeks so i'd prefer it if you just let it slide away. I'll reply to it in two weeks time when i get another chance at using it IF i find any traces of an infection still left (which i surely hope i won't) :)

If that's too much of a hassle just close it anyway and i'll make a new thread if i find something new. Still, jWord seems completely gone.
  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I will put this on the back burner - PM me when you return
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP