Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need to check if computer is infected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need to check if computer is infected

Unread postby lemon_lime123 » November 9th, 2009, 8:45 pm

Hello,
I've been trying to help my computer teacher with a trojan her son donwloaded. Its tauocey.scr, which infected her usb and made phony shortcuts on her usb that mimicked the My Documents, My Music, all those generic folders, only they point to tauocey.exe. Trouble is it got on my usb and i think it spread to my computer. I already formatted the usb but i don't know if it already spread to my computer. Heres the Hijack this log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:47 PM, on 11/9/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
G:\Windows\system32\taskhost.exe
G:\Windows\system32\Dwm.exe
G:\Windows\Explorer.EXE
G:\Windows\SOUNDMAN.EXE
G:\Program Files\Avira\AntiVir Desktop\avgnt.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\Alwil Software\Avast4\ashDisp.exe
G:\Windows\System32\igfxtray.exe
G:\Windows\System32\hkcmd.exe
G:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Windows Live\Messenger\msnmsgr.exe
G:\Program Files\Windows Live\Contacts\wlcomm.exe
G:\Program Files\Windows Live\Mail\wlmail.exe
G:\Windows\explorer.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - G:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "G:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "G:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] "G:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [IgfxTray] G:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] G:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "G:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] G:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] G:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] G:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: pg2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: g:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: g:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - G:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - G:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 5334 bytes
lemon_lime123
Active Member
 
Posts: 2
Joined: November 9th, 2009, 8:30 pm
Advertisement
Register to Remove

Re: Need to check if computer is infected

Unread postby askey127 » November 12th, 2009, 5:51 pm

lemon_lime123
Sorry for the delay.
Why is the system on drive G: ? is this a multi=-boot with another system?
--------------------------------------------------
Run Flash Disinfector
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task > Run... Type in explorer.exe and press Enter. Your desktop should now appear.
Wait until it has finished scanning and then exit the program.

You can run Flash Disinfector with other flash drives and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.
------------------------------------------------------------
Download the latest version of Java Runtime Environment here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
Scroll down - It is currently the 5th item on the page (the page changes often), called JRE 6 Update 17
Select Windows and multi-language, and check to agree to the license.
Choose Windows Offline installation version.
Download it, choose Save, and save it to your desktop.
Then doubleclick it, and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
-----------------------------------------------------
Run an Online Kaspersky WebScan
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the Program and Database downloads have finished, (may take a while), Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post the contents of this log in your next reply.

So we are looking for the Kaspersky log, and the answer to what kind of machine boot we have here.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Need to check if computer is infected

Unread postby lemon_lime123 » November 13th, 2009, 10:13 am

The Kapersky report was empty, i guess that meant there was no threats.

Yes It is a multi-boot machine. I have a Windows XP partition (C:), a compaq recovery partition (D:), and Windows 7 on another partition (G:). All my stuff (music, documents, etc.) is stored on a seperate hard drive on the L: partition
lemon_lime123
Active Member
 
Posts: 2
Joined: November 9th, 2009, 8:30 pm

Re: Need to check if computer is infected

Unread postby askey127 » November 13th, 2009, 3:54 pm

lemon_lime,
I think your machine is OK.
In the absence of any direct evidence of some problem, I think you are good to go.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Need to check if computer is infected

Unread postby NonSuch » November 17th, 2009, 2:43 am

As this issue appears to be resolved, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27301
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware