Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

small.JR Trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

small.JR Trojan

Unread postby fille1000 » September 20th, 2006, 3:30 pm

Here is my HJT logfile

The thing is I have removed the com5.dbm from hijackthis so it doesnt show up as a virus anymore, but I dont think the virus is gone, after reading this: http://www.tutorialsall.com/XPSECURITY/ ... te-195197/

it seems to be very hard to get rid of this rootkit-virus-thing.


Logfile of HijackThis v1.99.1
Scan saved at 21:27:29, on 2006-09-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program\Eset\nod32kui.exe
D:\Program\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
D:\Program\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
D:\Program\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program\VideoLAN\vlc.exe
D:\Program\Mozilla Firefox\firefox.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Filip\Skrivbord\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "D:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7451532974
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8406376671
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - D:\Program\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
fille1000
Active Member
 
Posts: 2
Joined: September 20th, 2006, 10:48 am
Advertisement
Register to Remove

Unread postby FencerGirl » September 21st, 2006, 3:36 pm

Hello!
I go by FencerGirl. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Finally, please reply to this thread. Do not start a new topic.


It may take me a while to reply to you as all of my fixes are being checked by experts to ensure that you are getting a good fix. And remember, like you I have a real life, so I may not be at my computer when you are!

FencerGirl
User avatar
FencerGirl
Regular Member
 
Posts: 475
Joined: February 23rd, 2006, 8:56 am
Location: Akron, OH

Unread postby FencerGirl » September 22nd, 2006, 8:05 am

Hi Fille1000,

Your HijackThis log appears to be clean. However, since you indicate that you cleaned a virus with possible rootkit tendancies, let's see what's lurking on your system.

Since your computer may have been compromised, please do not use this computer for anything that may require entry of passwords or credit card information, any banking or anything else that might be sensitive.
  • SCAN FOR MALWARE.
    Preparation

    1) Download the trial version of Ewido anti-spyware from here and save it to your Desktop.
    If you already have this program installed, skip to Updating Ewido: below.

    * Please note that these instructions are for the new version - Ewido anti-spyware. If you have the old version - Ewido anti-malware and it is the:
    • paid-for version - you will need to go here and obtain an updated license code before you upgrade.
    • free version - you will need to uninstall it and reboot before installing the new version.
    Double click the ewido-setup file to begin installation and follow the prompts.
    When the program has been installed, and you click the Finish button, Ewido anti-spyware will open.
      Updating Ewido:

      By default Ewido is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
    • Click the Update icon at the top and under "Manual Update" - click the Start update button.
    • Either Ewido will update or inform you that no update was available.
    • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
      Once you have installed Ewido, double click ewido-signatures-full-current.exe to update it.

      Disabling the Resident Shield:
    • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
      (When the PC has been cleaned you can activate the shield again, if you wish.)
    • Click the Shield icon at the top and under "Resident shield is..." - click active.
    • This should now change to inactive.

      Changing Recommended Actions
    • Click the Scanner icon at the top and then click the Settings Tab.
    • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
    You can now close Ewido anti-spyware.

    Ewido anti-spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
    Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that Ewido will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
    Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.


    Log off from the internet and disconnect your modem cable for the duration of the fix. Now, get into Safe Mode by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

    You'll want to print out these instructions because you will not have internet access while in Safe Mode.

    Removal

    1) Ensure that ALL open Windows / Programs / Folders are closed and then run Ewido anti-spyware.
    • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
    • Click "Complete System Scan"
    • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
    • When the scan has completed, any threats that Ewido has detected will be displayed.
    • Click the Apply all actions button at the bottom.
    • When Ewido has finished, it will display the message "All actions have been applied".

      Saving a report:
    • Click the Save Report button at the bottom left and the "Reports" window will open.
    • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\ewido anti-spyware 4.0\Reports folder.
    • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
      Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
    Close Ewido Anti-Spyware.

    2) Boot into Normal Mode.
  • SCAN FOR VIRUSES.
    Please do an online scan withKaspersky Web Scanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky,
    Click Yes.
    • The program will launch and then begin downloading the latest
      definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise
        Standard)

      • Scan Options:
        Scan Archives
        Scan Mail Bases

    • Click OK
    • Now under select a target to scan:
        Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been
      infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
  • LOOK FOR ROOTKITS.
    For more information on rootkits, visit this site
    The safest way to deal with a rootkit is reformat and reinstall Windows. If, however, you don't can't or don't want to do that, then we can try to clean the rootkit.

    Please download RootKit Revealer.
    Create a folder for Rootkit Revealer on the C: drive called C:\Rkr. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it Rkr. Extract all the files from the zip archive into that folder.

    Open the Rkr folder and double-click the icon for RootkitRevealer.exe to launch the program. Save the log into that folder (File > Save)

    If you get a warning, let the driver load...it will be a random named one but if you have spyware protections running the info they give (when warned) will tell you it is from sysinternals.

When you get done with all of these scans, please post back with your Ewido, Kaspersky and Rootkit Reaveler logs along with a new HijackThis Log.
User avatar
FencerGirl
Regular Member
 
Posts: 475
Joined: February 23rd, 2006, 8:56 am
Location: Akron, OH

Unread postby Nick-YF19 » September 28th, 2006, 3:05 am

While we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware