Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT log, unsure of infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby IndiGenus » October 24th, 2007, 9:47 am

Hi again,

Looks like it is having problems fixing the Adobe Reader Updater. What we recommend at this point is to uninstall Adobe Reader 7 (older versions have vulnerablilities anyway) and install version 8.

You can get the new version here. http://www.adobe.com/products/acrobat/readstep2.html

Before installing the new version use Add or Remove Programs to uninstall Adobe. Then remove any and all folders that may be left over.
C:\Program Files\Adobe\Acrobat 7.0

I would also recommend removing the Utopia folder/files and re-installing them as it looks like they have been corrupted by the infection.

C:\Utopia

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Post a new HJT log and let us know how it's running. Be sure to test out your programs.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA
Advertisement
Register to Remove

Unread postby crustygloves » October 24th, 2007, 11:19 pm

alrighty, i've done everything now, heres my log


Logfile of HijackThis v1.99.1
Scan saved at 7:17:29 PM, on 24/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS2\System32\nvsvc32.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS2\System32\devldr32.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS2\System32\WgaTray.exe
C:\WINDOWS2\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS2\System32\svchost.exe
C:\Documents and Settings\Griffin.MAIN\Desktop\Anti-suck\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forumsx.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS2\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS2\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS2\inf\GETPLUSo.INF, DefaultUninstall
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6586510546
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS2\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS2\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



My computer is running pretty nicely now.
crustygloves
Regular Member
 
Posts: 19
Joined: October 4th, 2007, 8:55 pm

Unread postby IndiGenus » October 25th, 2007, 5:23 pm

Hi crustyg,

Glad to hear things are running better. Still a bit of work to do though.

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 3.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6 Update 3
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer

-------------------------------------------------------------------------

I think it is time to update to Service Pack 2, as you appear to be clean.

It is crucial to update to Service Pack 2, it is probably the most important update the Microsoft has ever put out for WinXP and you are extremely vulnerable without it, Service Pack 2 significantly increases the security on your computer. I recommend that you do this update as soon as possible.

Link to Windows Update: http://v5.windowsupdate.microsoft.com

Please update your computer then post back with how it went. If you have any problems please post back with as much detail as you can. This is needed because any problems updating to SP2 could indicate that there is still some infection on your system that we need to address.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby crustygloves » October 25th, 2007, 7:17 pm

I am unable to install SP2, i've tried it multiple times, and i took it into a shop to get done properly becasue it never worked for me, and they couldn't get it to work on my PC either, i actually have a seperate partition with SP2 installed, but i can't even log on without my computer crashing.

I can't update java becasue it isn't capable of running on sp1
crustygloves
Regular Member
 
Posts: 19
Joined: October 4th, 2007, 8:55 pm

Unread postby IndiGenus » October 26th, 2007, 8:56 am

Download and Run a Diagnostic Tool (MGADiag.exe) from here and save this to your desktop.
http://go.microsoft.com/fwlink/?linkid=56062
* Double-click on MGADiag.exe
* When the program has finished, click on the Validation tab and then click on Copy to Clipboard.
* Please post the results in your next reply.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby crustygloves » October 26th, 2007, 9:12 pm

Diagnostic Report (1.7.0062.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-BHDV6-9FF3V-F8B9B
Windows Product Key Hash: C3Qsu2FRBnGjQik5PFb2QMbRGls=
Windows Product ID: 55277-OEM-2115435-81076
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.1.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {24A3BEF5-66AC-4891-A959-6305374FB98F}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.36.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

Vista BRT Data-->
Grace Flag: N/A
Commit: N/A
Reboot Flag: N/A
ThreatID(s): N/A
Wgaer.exe Version: N/A, hr = 0x80070002
Wgaer.exe Signed By: N/A, hr = 0x80070002

Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.17.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2968-80070002_025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{24A3BEF5-66AC-4891-A959-6305374FB98F}</UGUID><Version>1.7.0062.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-F8B9B</PKey><PID>55277-OEM-2115435-81076</PID><PIDType>3</PIDType><SID>S-1-5-21-1659004503-436374069-1957994488</SID><SYSTEM><Manufacturer>D850GB</Manufacturer><Model>GB85010A</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>GB85010A.86A.0063.P14.0107182015</Version><SMBIOSVersion major="2" minor="3"/><Date>20010718******.******+***</Date></BIOS><HWID>83D3378F0184C04E</HWID><UserLCID>1009</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91110409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office XP Professional</Name><Ver>10</Ver><Val>190D9896EE7CB98</Val><Hash>LMosIgT/ELeliSOsuSImBhkbbP0=</Hash><Pid>54186-OEM-1793035-42348</Pid><PidType>4</PidType></Product></Products></Office></Software></GenuineResults>
crustygloves
Regular Member
 
Posts: 19
Joined: October 4th, 2007, 8:55 pm

Unread postby IndiGenus » October 27th, 2007, 10:50 am

At this point it appears as though your system is all clean and will need to get additional support for your update issue. You can start here:
http://www.microsoft.com/protect/comput ... s/faq.mspx
and read for extra information.

The hardware / system forums may be able to help.
Good Hardware Help Forums
Computer Trouble here: http://forum.computertrouble.co.uk/index.php
or
TechSupportGuy here : http://forums.techguy.org/21-windows-nt-2000-xp/
or
VirtualDr here: http://discussions.virtualdr.com/forumdisplay.php?f=48
or
PCPitStop here : http://forums.pcpitstop.com/index.php?showforum=3
All may require you to register free before posting for help.

--------------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

In addition to updating and using what you currently have you may want to consider the following:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Use IESpy-Ad -
IESpy-Ad will block access to malicious websites so you cannot be redirected to them from an infected site or email. Instructions for set up and use can be found at the website.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Here is a great link to a post here on securing your PC after an attack.

http://users.telenet.be/bluepatchy/miek ... ntion.html

Good luck and safe surfing,
Dave
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby crustygloves » October 27th, 2007, 11:04 pm

Thanks very much for your help:)

I'm pretty sure the reason i got infected this was turning off AVG's auto-update and not remembering to update it manually before scanning.

I'll make sure i do everything you said in your last post, thanks again!
crustygloves
Regular Member
 
Posts: 19
Joined: October 4th, 2007, 8:55 pm
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware