Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help to clean up after effects of a trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Need help to clean up after effects of a trojan

Unread postby chryssi2001 » August 2nd, 2008, 5:43 am

Hello Yvette,

Hooray :cheers: :cheers: , it worked.

Now let's fix those lines, and you can try to download Java correctly this time.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Be sure there is nothing in this Folder:

C:\Program Files\Java
----------------------------------------------
Now install Java, and let me know how it went.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Re: Need help to clean up after effects of a trojan

Unread postby yalycer » August 2nd, 2008, 6:33 am

I successfully removed all three from Hijack This. But I didn't post a new log or reinstall Java because I noticed something new.

I have a desktop icon for Spybot. I went into windows explore and also found a large application in WINDOWS\Prefetch and a folder with logs and restores in Documents & Settings\All Users\Application Data.

You had me uninstall Spybot days ago and I have no evidence of it anywhere else.

Should I get rid of all these before I reinstall Java? And what is the best way to do so?

Thank you, Yvette
yalycer
Regular Member
 
Posts: 27
Joined: July 19th, 2008, 10:47 pm

Re: Need help to clean up after effects of a trojan

Unread postby chryssi2001 » August 2nd, 2008, 6:54 am

Remove the Desktop icon, as you do not have the program now.

Please install Java, and post a new HijackThis log.
You are doing great, keep it up! ;)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help to clean up after effects of a trojan

Unread postby yalycer » August 2nd, 2008, 7:40 am

Well, it seems to have worked just fine. But believe it or not, after all those different ways of removing all Java, it was still there and I had to click to reload it! But this time it let me. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:44 AM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\LANScope Agent\awtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.us.acer.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ntiMUI] "c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" 0
O4 - HKLM\..\Run: [eLockMonitor] "C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe"
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\eRAgent.exe"
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9060 bytes

I hope everything is now okay and I'm ready to re-enable Windows Defender and SpySweeper. Let me know...and thanks again...Yvette
yalycer
Regular Member
 
Posts: 27
Joined: July 19th, 2008, 10:47 pm

Re: Need help to clean up after effects of a trojan

Unread postby chryssi2001 » August 2nd, 2008, 8:53 am

Hello Yvette :) ,

Well, it seems to have worked just fine. But believe it or not, after all those different ways of removing all Java, it was still there and I had to click to reload it!

Unbelievable, it gave us a hard time didn't it? But at last everything is fine :cheers: .
-------------------------------------------------
Now everything is ok please create a new Clean restore Point.

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
-------------------------------------------------
I hope everything is now okay and I'm ready to re-enable Windows Defender and SpySweeper. Let me know...and thanks again...Yvette


Yes do, that Yvette, you can also download Spybot again.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

You are welcome, i am glad i helped you out, your cooperation was unbelievable :flower: .

Happy Surfing!
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help to clean up after effects of a trojan

Unread postby yalycer » August 2nd, 2008, 5:10 pm

I'll do all that, but please stay with me a little longer. Since we had a problem when I reenabled Spybot before, I'd like to get completely back up and running and send you one last log before we say goodbye.

I think I'll also download the other programs you recommended.

By the way, I am curious. I know you never saw my original infection, but the history says I had a backdoor and a Trojan for several months with no effect and might not have ever discovered them if my mouse hadn't gotten too old and malfunctioned, so that I started to search for malware. I've been taking a look through some of the posts in this forum and there is some really really scary stuff that the backdoors and trojans can do to a system.

Do these things have different degrees of danger? And did I just happen to get some relatively weak ones? Or did the few things I was doing since the beginning, like using a router and noscript and Spsybot, help keep them from doing much damage? Or maybe it's just because I don't do a lot of dangerous surfing anyway?

It seems to me from what you've been telling me that most of the cleanup you've been helping me with came from minor sources, not from something dangerous like a trojan or backdoor. Like the AskS Toolbar, for example. Do you have any idea why this trojan and backdoor I had just sat on my computer for six months without doing much damage?

I guess it doesn't really matter, now that I'm all clean. I just wondered if you had any thoughts on the matter. Thanks, Yvette
yalycer
Regular Member
 
Posts: 27
Joined: July 19th, 2008, 10:47 pm

Re: Need help to clean up after effects of a trojan

Unread postby chryssi2001 » August 2nd, 2008, 5:59 pm

Hello Yvette :) ,

A backdoor is a backdoor. We can't say this backdoor is not so dangerous than another one.

A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, passwords, etc.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

The reason we advice users with backdoors to re-format and re-install their system is because we do not have a way to know that after we clean a compromised pc, will be like before.

Some users with backdoors don't have the installation disk of their pcs, so they ask from us to clean them. We can't quarantee the pc will be in the shape it was before the backdoor infection.

Having all those in mind, since i didn't find the backdoor your protection programs warned you about, if you still believe you were so heavily infected, and you use this pc for bank payments etc, you might think to re-format and re-install your system. It's up to you.
It would be a good idea to change all your passwords from another computer.

Since i haven't really seen the infection, you gave me only names, i can't be sure if it was a backdoor. Your mouse maybe was faulty, and too old as you said and if an infection was on your pc, it could be possible affected it.
Nothing for sure though.

An advice from me, since you are safe surfing the net now, is never to use any Peer to Peer programs to download stuff on your pc, or download cracks, keygens, illegal programs, all those can bring multiple and dangerous infections on your pc. Also do not click on suspicious links, open emails sent to you by unknown persons, even if they say they send a picture to you.

Hackers use these ways to make users open the emails, and click on links, to get control on their pcs.

Unfortunately you have to defend your pc, from all these and keep it protected the best way you can.

I'll be hanging around 1-2 days more, and then i'll let you go, and try to help some other people in need.

I've talked to much, i'll let you download the programs you want, and i'll be waiting your new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help to clean up after effects of a trojan

Unread postby yalycer » August 2nd, 2008, 7:26 pm

Thank you. I was just curious and my computer seems to be operating fine. I rarely do any financial stuff over the Internet anyway, just occasionally order something, like ink for my printer.

I have created a new system restore point and reenabled Windows Defender and SypSweeper. But I'm having trouble downloading Spybot. I've tried in Internet Explorer and Firefox and through four of their mirrors and I keep getting the same message, that a connection with the server could not be established.

I think that means their download server is down and I'll just wait a few hours and try again. But if you know of anything that I should be doing differently, please let me know. Thanks, Yvette
yalycer
Regular Member
 
Posts: 27
Joined: July 19th, 2008, 10:47 pm

Re: Need help to clean up after effects of a trojan

Unread postby chryssi2001 » August 3rd, 2008, 4:05 am

Hello Yvette,

Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
----------------------------------------------
After that try to download Spybot.

Use one of the download sites mentioned in Main mirrors, and try with Internet explorer. I just tried the first link and it works from here.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help to clean up after effects of a trojan

Unread postby yalycer » August 3rd, 2008, 4:21 am

Oh, thank you, but I solved that problem. It was my Comodo firewall not letting it communicate.

So I have Spybot and SpyWare Blaster and WinPatrol.

But now I'm having problems. I downloaded SiteHound and its toolbar appeared, but it wasn't doing what it was supposed to do. The defaults didn't seem to be loaded. And it warned me that it would slow down gmail and I have a gmail address that is usually my main email. So I went in there and tried to write an email. It was unbelievably slow, yet my yahoo emails are not slowed down at all.

So I decided to do without SiteHound. My AVG seems to do the same thing about warning about a site when you're in a search engine.

However, I may have some of that installation in my files somewhere.

Then I went on to MVPS host file and got really messed up. All it will do is give me a box that says it is 0% complete when it starts. I have tried deleting the zipped folder that I don't think is complete and rebooting, but it still does it. Luckily I had made a hosts backup in SpywareBlaster, so I restored that.

So here is a Hijack This log for you to check for any damage I have done so far.

I don't want SiteHound, but I do want MVPS Hosts file and I don't know how to get myself back to where I can download that properly.

My only other thing is to upgrade to Windows XP SP3. so once we fix these problems, I'm done.

thanks, Yvette
yalycer
Regular Member
 
Posts: 27
Joined: July 19th, 2008, 10:47 pm

Re: Need help to clean up after effects of a trojan

Unread postby yalycer » August 3rd, 2008, 4:22 am

Forgot the log. here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:09 AM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\LANScope Agent\awtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\COMODO\Firewall\cmdagent.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.us.acer.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ntiMUI] "c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" 0
O4 - HKLM\..\Run: [eLockMonitor] "C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe"
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\eRAgent.exe"
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe" -expressboot
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" /FU "C:\WINDOWS\TEMP\E_SAF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10036 bytes
yalycer
Regular Member
 
Posts: 27
Joined: July 19th, 2008, 10:47 pm

Re: Need help to clean up after effects of a trojan

Unread postby chryssi2001 » August 3rd, 2008, 5:14 am

Hello Yvette,

Sitehound can slow down some machines. Some users do not have problem at all.

Since you have Spybot's Hosts files protection & Spyware Blaster's there is really no need to add also MVPS Hosts files. Your pc is protected enough, so whatever site excists in Spybot's Hosts, your pc won't be able to go there. Those are bad sites.;)

You can download McAfee SiteAdvisor which will show you good and bad sites.

Give it a try if you want. You can find IE & Firefox versions.

My only other thing is to upgrade to Windows XP SP3. so once we fix these problems, I'm done.

An additional advice for SP3 download, please disable all your protection programs, in case they interfere, they might give you warnings to allow changes in the registry etc. It is a big download.

An option is to download the SP3 package, disconnect your pc from the internet, disable programs, install, reboot, re-enable them all and you are done.

Oh, and your HijackThis log, looks perfect!!! :)

Please let me know when you are done, so i can archive this topic.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help to clean up after effects of a trojan

Unread postby yalycer » August 3rd, 2008, 8:49 am

My log looks perfect??? I'm surprised with all the frustration and retrying of those downloads!

I really like McAfee! I got it for both Firefox and IE.

Okay, now to prepare for installing Windows XP SP3, I need to know which of these programs I need to disable and in what order and then in what order I need to reenable them. Also, how to disable some of them.

Group A: programs I don't think I will need to disable. (If I'm wrong and do need to, I don't know the steps of how to do so.)
Hijack This
ATF Cleaner
Malwarebytes AntiMalware
JavaRa
Windows Install Cleanup
Firefox NoScript
McAfee

Group B: these programs give me warnings and I think I need to disable them and don't know how:
AVG Antivirus
Winpatrol
Spyware Blaster

Group C: these programs I know I need to disable and you've already taught me how to:
Comodo Firewall
Windows Messenger
SpySweeper
Spybot

And then I need to know the order to reenable them so I don't have the problem I had before.

Thank you sooooooooooooooooooo very much!!!!!!!!!!!!!!! Yvette
yalycer
Regular Member
 
Posts: 27
Joined: July 19th, 2008, 10:47 pm

Re: Need help to clean up after effects of a trojan

Unread postby chryssi2001 » August 3rd, 2008, 9:09 am

Hello Yvette,

Group A: programs I don't think I will need to disable. (If I'm wrong and do need to, I don't know the steps of how to do so.)
Hijack This
ATF Cleaner
Malwarebytes AntiMalware
JavaRa
Windows Install Cleanup
Firefox NoScript
McAfee << If Site Advisor no need to.

They do not need to be disabled, you are right.

Please uninstall JavaRa and the report it created, as you do not need it anymore.

Group B: these programs give me warnings and I think I need to disable them and don't know how:
AVG Antivirus
Winpatrol
Spyware Blaster


AVG Antivirus << Right click on the task bar icon, Launch control Center, click on Program tab and click on exit.
Winpatrol << Right click on the task bar icon, and click on exit Program.
Spyware Blaster << No need to disable.

And then I need to know the order to reenable them so I don't have the problem I had before.

Reversing the procedure like you did the first time and you enable them again.
Re-enable Spybot Lastly.

You are welcome a lot :cheers:
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help to clean up after effects of a trojan

Unread postby yalycer » August 3rd, 2008, 6:12 pm

Thank you for waiting for me to get this done. I'm working on SP3 now and will be finished in an hour or so. I just feel a lot better knowing that if I have any problems with it I have someone to ask. So thanks again for waiting. Yvette
yalycer
Regular Member
 
Posts: 27
Joined: July 19th, 2008, 10:47 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware