Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unable to install AV & Malware software

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Mr_JAk3 » February 11th, 2007, 2:32 am

Hi :)

HijackThis is looking good now. The only process tha should have ben stopped was this flec006.exe I'll try to make my instructions clearer.

You don't have an antivirus on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses:
Then I recommend one more scan...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland
Advertisement
Register to Remove

Unread postby StilettoRed » February 11th, 2007, 4:12 pm

Thought I had the AVG loaded, but I guess it was not the antivirus program. The newest AVG scan got this:

Trojan horse Collected.9.AN" "C:\Program Files\Common Files\System\d3ui32.dll" "2/11/2007 10:48:35 AM" "d3ui32.dll" "88 KB"



KASPERSKY ONLINE SCANNER REPORT
Sunday, February 11, 2007 1:55:57 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/02/2007
Kaspersky Anti-Virus database records: 266806
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 38424
Number of viruses found: 5
Number of infected objects: 8 / 0
Number of suspicious objects: 6
Duration of the scan process: 02:27:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs\cpf.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip/optimize.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer24.zip/optimize.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer24.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer3.zip/optimize.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Robert Cummins\.housecall6.6\Quarantine\flec006.exe.bac_a01664 Infected: Trojan-Downloader.Win32.Bagle.aw skipped
C:\Documents and Settings\Robert Cummins\.housecall6.6\Quarantine\temp.zip.bac_a01664 Infected: Email-Worm.Win32.Bagle.gen skipped
C:\Documents and Settings\Robert Cummins\.housecall6.6\Quarantine\wjrjzhcmsat.exe.bac_a01664 Infected: Email-Worm.Win32.Bagle.gl skipped
C:\Documents and Settings\Robert Cummins\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Robert Cummins\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robert Cummins\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert Cummins\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert Cummins\Local Settings\Temp\~DFDF39.tmp Object is locked skipped
C:\Documents and Settings\Robert Cummins\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert Cummins\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robert Cummins\NTUSER.DAT.LOG Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\ModemLog_HSP56 MicroModem.txt Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

Scan process completed.
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Mr_JAk3 » February 12th, 2007, 6:36 am

Hi :)

The infection you had propably removed AVG from your computer.
Did you let AVG remove the found infection ? If not, please delete the following file manually:

C:\Program Files\Common Files\System\d3ui32.dll

There were some infections in Housecall and Spybot Quarantine...

How is the computer running at the moment? Any issues?
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby StilettoRed » February 12th, 2007, 9:48 am

AVG removed the file d3ui32.dll.

I have Spy-Bot running again and it found a few things. I also loaded SpyBlaster and have it running.

I haven't had any problems lately with returned emails from addresses that I never sent anything to, which I believe is an indicator that the computer was hijacked.

For a summary I am running Comodo firewall in a "learning mode." It has intercepted 35 "severe events" in the last three days.

AVG anti virus
AVG anti spy ware
SpyBlaster

Adaware installed
SpyBot Search and Destroy installed
Trojan Hunter installed
A Squared installed

Do I need anything else?

How do you remove the stuff that is in quarantine? I would rather have the files deleted completely.

Can you suggest a good Anti-Spam?

Thanks
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Mr_JAk3 » February 12th, 2007, 3:18 pm

Hi :)

OK good. Log entries in Comodo is a sign that the firewall is working correctly.

Sounds like a good arsenal against malware.

The quarantines...

You may clean the following folder manually (delete the files in it):
C:\Documents and Settings\Robert Cummins\.housecall6.6\Quarantine

Then Open Spybot S&D, click on "Recovery", select all entries and then click on "Purge selected items"and answer "Yes"

Now you can clean AVG's Quarantine:
  • Open AVG Anti-Spyware
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
You can remove the tools we used.

Now you can make your hidden files hidden again.
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Check "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.

=============

You already have nice collection of security programs but here are some more hints.

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster and safer browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?
  • Stand Up and Be Counted !
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby StilettoRed » February 12th, 2007, 5:34 pm

A few issues if you have the time.

FYI AVG now calls their quarantine the "Virus Vault"

I use CCleaner as it has a register utility. OK?

I understand what the intent of the MVP hosts file is for, but don't know what is to be done to install and use it. I assume you periodically have to go back and get updates?

When I went to the MSFT updates and tried to set up Automatic Updates I was not able to run the file: services.misc

I received a message that the file was not found or component missing - make sure the path and file name are correct....

Do these fall within your domain for fixes.

Thanks
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Mr_JAk3 » February 13th, 2007, 8:05 am

Hi :)

Yes in AVG antivirus it is called Virus Vault and in AVG Anti-Spyware it is Quarantine. You may clean them both...

Yes CCleaner is ok, no need for ATF Cleaner then. Just remembre to allow the backups when you clean the registry.

The hosts file. Basically you just donwload and extract the hosts.zip eg to desktop and run the file mvps.bat. It installs the hosts file. Yes it is good to update it whenever a new version is available.

Here are instructions for Automatic Updates -> Link

Let me know if you got any questions :)
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby StilettoRed » February 13th, 2007, 1:26 pm

Hello Mr undersore JAk3,

I think I have completed everything that is to be done. I found the automatic updates in the system folder which I should have been able to find without asking you. It evidently worked OK...maybe.

Many thanks for all of your help. I really appreciate the time you have taken to work out all these virus issues. You perform an admirable service!!

I have one more request. Can you please recommend a good Windows repair site. After getting the updates and starting to reply to your post my computer locked up. Everything has slowed to a crawl and my CPU usage has maxed out at 100% just to make an internet connection and it literally took about 5 minutes after the computer took about 5 minutes to boot to get back on the internet. I have a dia-up connection which doesn't help matters, but it is still excessively slow. Evidently I have other problems now other thatn just viruses,

When will it all end? (rhetorical question NRE)

Later,
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Mr_JAk3 » February 13th, 2007, 3:03 pm

Hi :)

The slowness might be caused by the large hosts file you just installed. This can be easily fixed. Did you check the editor's note from mvps.org/winhelp2002/hosts.htm ?

Editors Note: in most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs in W2000 and XP. Windows 98 and ME are not affected.

To resolve this issue (manually) open the "Services Editor"
  • Start | Run (type) "services.msc" (no quotes)
  • Scroll down to "DNS Client", Right-click and select: Properties
  • Click the drop-down arrow for "Startup type"
  • Select: Manual, or Disabled (recommended) click Apply/Ok and restart.

Please let me know if this helped :D
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby StilettoRed » February 13th, 2007, 7:14 pm

Yes sir, I made the changes and everything appears to be back to normal. However, in my case "slow down" was a misnomer. The computer came to a screeching halt and fell on its side. I had to remove power to get it to reboot.

Again, thanks for your help.

Aside from all the BS we had to go through it has been my pleasure to meet you.

Best of luck to you Mr_JAk3.
StilettoRed
Regular Member
 
Posts: 34
Joined: January 30th, 2007, 7:31 pm

Unread postby Mr_JAk3 » February 14th, 2007, 3:04 am

Hi, that's good news :)

Yes that can make computer really crawl...

You're very welcome, nicet that we were able to help :D
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby NonSuch » February 14th, 2007, 3:27 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware