Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Checking a Hijackthis log - after "msupdate.exe" incident

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 22nd, 2010, 11:19 pm

Hello odilon,

Let's get a better look.

**Please copy to notepad or print these out as you will be off the internet for this scan**


Back Up registry with ERUNT

  • Please use the following link and download ERUNT to your desktop. HERE
  • Click on the erunt-setup.exe
  • Follow the prompts to install ERUNT
  • Choose language
  • A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO

    Image

  • Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe


Next

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Post
Any problems? How your system is running
C:\Combofix.txt

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California
Advertisement
Register to Remove

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 23rd, 2010, 11:30 am

Hi Turtledove,

I ran those programs (ERUNT and Combofix), and it appears to have fixed the start-up problem (ie, I no longer have to use task manager to start up explorer). As far as I can tell, the system is running normally. The only problem is that (oddly) my speakers do not appear to be playing sound...very odd.

Do you think it worked? Do we know what the problem was, and can I be sure that it is now solved?

Thanks!!
Odilon

I copy the Combofix log below:

ComboFix 10-06-22.03 - Odilon 06/23/2010 20:24:28.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3032.2130 [GMT 8:00]
Running from: c:\users\Odilon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.

2010-06-23 12:32 . 2010-06-23 12:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-23 12:22 . 2010-06-23 12:22 -------- d-----w- C:\32788R22FWJFW
2010-06-23 12:16 . 2010-06-23 12:17 -------- d-----w- c:\program files\ERUNT
2010-06-18 12:38 . 2010-06-18 12:38 -------- d-----w- c:\users\Odilon\AppData\Roaming\Malwarebytes
2010-06-18 12:38 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 12:38 . 2010-06-18 12:38 -------- d-----w- c:\programdata\Malwarebytes
2010-06-18 12:38 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 12:38 . 2010-06-18 12:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 03:18 . 2010-06-22 02:49 -------- d-----w- c:\program files\Trend Micro
2010-06-16 01:31 . 2010-06-16 01:31 -------- d-----w- c:\program files\Smith Micro
2010-06-13 16:21 . 2010-06-13 16:21 -------- d--h--w- c:\programdata\CanonBJ
2010-06-13 16:20 . 2009-07-14 01:15 71168 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNBPP4.DLL
2010-06-11 08:46 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 08:46 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 08:45 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-11 08:45 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 08:45 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-28 01:06 . 2010-05-28 01:06 -------- d-----w- c:\programdata\PC-Doctor for Windows
2010-05-28 01:04 . 2010-06-18 09:03 -------- d-----w- c:\users\Odilon\AppData\Roaming\Update
2010-05-25 23:39 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 12:15 . 2009-12-11 15:24 -------- d-----w- c:\users\Odilon\AppData\Roaming\Skype
2010-06-23 11:35 . 2009-12-11 15:31 -------- d-----w- c:\users\Odilon\AppData\Roaming\skypePM
2010-06-20 07:38 . 2010-06-20 07:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-06-11 16:24 . 2009-12-19 14:03 -------- d-----w- c:\programdata\Microsoft Help
2010-05-28 01:06 . 2009-12-11 08:35 -------- d-----w- c:\programdata\PCDr
2010-05-28 01:06 . 2009-12-11 08:34 -------- d-----w- c:\program files\PC-Doctor
2010-05-21 06:14 . 2009-12-11 07:17 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 15:30 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-07 19:46 . 2010-05-07 19:46 655872 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\msvcr90.dll
2010-05-07 19:46 . 2010-05-07 19:46 572928 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\msvcp90.dll
2010-05-07 19:46 . 2010-05-07 19:46 27136 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\startmenu-localizer.exe
2010-05-07 19:46 . 2010-05-07 19:46 24064 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\CommandLine.dll
2010-05-07 19:46 . 2010-05-07 19:46 225280 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\msvcm90.dll
2010-05-07 19:46 . 2010-05-07 19:46 1768960 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\Common.dll
2010-04-25 11:56 . 2010-01-13 08:19 -------- d-----w- c:\program files\Chinatelecom C+W
2010-04-25 11:55 . 2009-12-17 03:42 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-12 09:29 . 2010-04-23 00:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"Google Update"="c:\users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-11 135664]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"FingerPrintSoftwareSplashScreen"="c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s" [X]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2009-06-26 92960]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-08-04 358424]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-08 714016]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-13 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-13 167424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-13 144384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]
"TelRun"="c:\program files\CTC_Setup\CMUpdater\TelRun.exe" [2009-09-29 110416]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
RCIMGDIR.exe.lnk - c:\program files\RotateImage\RCIMGDIR.exe [2009-12-11 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-10-20 106496]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-04-20 9728]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-05-07 21360]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-08 75040]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-06 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-04-16 11520]
R3 zgdccat;ZTE CDMA AT Interface;c:\windows\system32\DRIVERS\zgdccat.sys [2009-09-02 106112]
R3 zgdccdiag;ZTE CDMA Diagnostics Interface;c:\windows\system32\DRIVERS\zgdccdiag.sys [2009-09-02 106112]
R3 zgdccmdm;ZTE CDMA Proprietary USB Modem;c:\windows\system32\DRIVERS\zgdccmdm.sys [2009-09-02 106112]
R3 zgdccvousb;ZTE CDMA Sound Interface;c:\windows\system32\DRIVERS\zgdccvousb.sys [2009-09-02 106112]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-10-20 1701112]
S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-10-20 98304]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-08-04 2058776]
S3 5U875UVC;Integrated Camera;c:\windows\system32\DRIVERS\5U875.sys [2009-07-08 72320]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-10-20 485376]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-22 225408]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2009-06-26 23080]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368385870-323229818-1778835536-1000Core.job
- c:\users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-11 15:12]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368385870-323229818-1778835536-1000UA.job
- c:\users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-11 15:12]

2010-06-04 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46]

2010-06-22 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-05-08 00:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hsbc.com.hk/1/2/home
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {A4391E21-5430-414E-B191-7A4CAA865E14} = 149.254.230.7 149.254.201.126
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Aide - c:\program files\Chinatelecom C+W\Aide.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1912)
c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
Completion time: 2010-06-23 20:37:41
ComboFix-quarantined-files.txt 2010-06-23 12:37

Pre-Run: 19,640,823,808 bytes free
Post-Run: 19,366,457,344 bytes free

- - End Of File - - 740D920CFD6C9CB639C170DCBA20EEF0



turtledove wrote:Hello odilon,

Let's get a better look.

**Please copy to notepad or print these out as you will be off the internet for this scan**


Back Up registry with ERUNT

  • Please use the following link and download ERUNT to your desktop. HERE
  • Click on the erunt-setup.exe
  • Follow the prompts to install ERUNT
  • Choose language
  • A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO

    Image

  • Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe


Next

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Post
Any problems? How your system is running
C:\Combofix.txt

Thank you

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 23rd, 2010, 3:27 pm

Hello odilon,

Your welcome. :)



Could you post the following text file please:

ComboFix-quarantined-files.txt 2010-06-23 12:37

There should be a folder C:\Qoobox\ComboFix-quarantined-files.txt with date of above txt file there. Will have another scan after I see what the quarantine file contains to double check progress.

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 23rd, 2010, 4:00 pm

Hi Turtledove,

I found the following .txt file:

2010-06-23 12:34:59 . 2010-06-23 12:34:59 136 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Aide.reg.dat
2010-06-23 12:29:58 . 2010-06-23 12:29:58 10,424 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-06-23 12:21:52 . 2010-06-23 12:24:27 113 ----a-w- C:\Qoobox\Quarantine\catchme.log


I'm extremely curious to hear your assessment of this - what it was, and whether it's now healthy (or just hibernating).

Also, do you think it may have somehow undermined my sound drivers?

Thanks!
Odilon

turtledove wrote:Hello odilon,

Your welcome. :)



Could you post the following text file please:

ComboFix-quarantined-files.txt 2010-06-23 12:37

There should be a folder C:\Qoobox\ComboFix-quarantined-files.txt with date of above txt file there. Will have another scan after I see what the quarantine file contains to double check progress.

Thank you

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 23rd, 2010, 4:24 pm

Hello odilon,

Thank you for that information. I will investigate further and return as soon as possible.

Thank You

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 23rd, 2010, 4:45 pm

Hi Turtledove,

I just uninstalled and re-installed the sound drivers, and it works again. Everything appears to be functioning normally!

Please let me know what you discover in the logs in any case, but it's looking very good from this end.

Thanks!
Odilon

turtledove wrote:Hello odilon,

Thank you for that information. I will investigate further and return as soon as possible.

Thank You

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 24th, 2010, 1:03 am

Hello odilon,

Thank you for letting me know. It appears the scan you ran yourself may have done much to help. Good job on the sound issue. :)
Please try the below, and let me know if there are any problems running the scan. This should show if there are any leftovers to deal with.


ESET online scannner


Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go Here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Post:
C:\Program Files\ESET\EsetOnlineScanner\log.txt
How things are running

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 24th, 2010, 11:53 am

Dear Turtledove,

I just finished the ESET scan, and the results are below.

Everything appears to be running smoothly.

Thanks!
Odilon

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1861faf5a877334cbcf18739e07beff2
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-24 03:44:35
# local_time=2010-06-24 11:44:35 (+0800, China Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776573 100 100 73153 17036306 0 0
# compatibility_mode=8192 67108863 100 0 322 322 0 0
# scanned=85414
# found=0
# cleaned=0
# scan_time=5136


turtledove wrote:Hello odilon,

Thank you for letting me know. It appears the scan you ran yourself may have done much to help. Good job on the sound issue. :)
Please try the below, and let me know if there are any problems running the scan. This should show if there are any leftovers to deal with.


ESET online scannner


Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go Here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Post:
C:\Program Files\ESET\EsetOnlineScanner\log.txt
How things are running

Thank you

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 24th, 2010, 4:30 pm

Hello idilon,

Great job, you are now clean. :)

**Please Copy this information to Notepad or Print out a copy for future reference

** Adobe Acrobat:
I notice you have an old version of Adobe Acrobat. This is vulnerable to attack. I would suggest using it as an editor only; using Adobe Reader kept up to date to read PDF files if you can not repurchase Acrobat at this time.


OTC
Let's perform some housekeeping and cleanup some of the tools we used.
Please download OTC.exe... by OldTimer. Save it to your desktop.
  1. Right click on OTC.exe and select Run As Administrator.
  2. Click on Allow, then click on CleanUp!.
  3. Click "Yes" to the Begin cleanup process? prompt.
  4. Click "Yes" ... when prompted to reboot the computer to remove files.
Your computer should restart automatically. If it doesn't, please do so manually.


Create a new, clean System Restore point

  • Click Start, Right Click on Computer, and select Properties.
  • In the left pane, click System Protection > Creat.
  • Give this restore point a descriptive name and click Create.
  • Click Apply and OK.

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Flush infected System Restore points

  • Click Start, Right Click on Computer, and select Properties.
  • In the left pane, click System Protection.
  • untick the box labeled Vista C: an click Turn off system restore.
  • Click Apply and OK.
  • Restart your computer.


For the Future: Protection Programs

Before Surfing Be Sure that Windows and Internet Explorer are fully up to date

Read - stay informed.
Please check out these articles:
Tony Klein's "How did I get infected in the first place?"

How to prevent Malware:© miekiemoes - Microsoft MVP - Consumer Security .

P2P Filesharing
This needs avoided. Peer to Peer Filesharing is a key to most infections. This is due to malware writers writing their malware, then naming them after a legitimate program or song/video. Also this is done by putting their malware inside legitimate programs, and key generating software/cracked software.


You can help the fight, report it at Malware Complaints
Stand Up and be Counted!

Some of your legitimate programs will leave .tmp files as they run. Clean these out regularly. Before running a scan is a good time.

Use the following and KEEP UPDATED


Check for updates at least WEEKLY **New Anti Virus and Firewall if you need to replace the ones you have only.
Antivirus: *Use only one*
AntiVir
AVAST! Anti-Virus

Needed Firewall: Monitors traffic IN and OUT Bound. Very Important. *Use only one*
Online Armor
Comodo Personal Firewall


A Realtime monitor : (Replaces Spybot)
Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.

SpywareBlaster


Java Updates: *Always remove old Java Before installing New Version*
Java Update

Test open Ports:
SheildsUp (follow the links to Shield's-Up!)


Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE


You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

**Please post back that you've read this and are clear to close this topic; or if there are any remaining issues.**

Thank you and safe , happy surfing :)

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 25th, 2010, 12:09 am

Dear Turtledove,

Thanks for all your help. Everything in your message makes sense, though I have not yet done it. Great to know that the machine is now clean!! I will do my best to keep it that way.

I might post again in a day or two, after I try to digest everything you wrote below, but in principle it all sounds very reasonable and do-able.

Thanks!!

Odilon

turtledove wrote:Hello idilon,

Great job, you are now clean. :)

**Please Copy this information to Notepad or Print out a copy for future reference

** Adobe Acrobat:
I notice you have an old version of Adobe Acrobat. This is vulnerable to attack. I would suggest using it as an editor only; using Adobe Reader kept up to date to read PDF files if you can not repurchase Acrobat at this time.


OTC
Let's perform some housekeeping and cleanup some of the tools we used.
Please download OTC.exe... by OldTimer. Save it to your desktop.
  1. Right click on OTC.exe and select Run As Administrator.
  2. Click on Allow, then click on CleanUp!.
  3. Click "Yes" to the Begin cleanup process? prompt.
  4. Click "Yes" ... when prompted to reboot the computer to remove files.
Your computer should restart automatically. If it doesn't, please do so manually.


Create a new, clean System Restore point

  • Click Start, Right Click on Computer, and select Properties.
  • In the left pane, click System Protection > Creat.
  • Give this restore point a descriptive name and click Create.
  • Click Apply and OK.

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Flush infected System Restore points

  • Click Start, Right Click on Computer, and select Properties.
  • In the left pane, click System Protection.
  • untick the box labeled Vista C: an click Turn off system restore.
  • Click Apply and OK.
  • Restart your computer.


For the Future: Protection Programs

Before Surfing Be Sure that Windows and Internet Explorer are fully up to date

Read - stay informed.
Please check out these articles:
Tony Klein's "How did I get infected in the first place?"

How to prevent Malware:© miekiemoes - Microsoft MVP - Consumer Security .

P2P Filesharing
This needs avoided. Peer to Peer Filesharing is a key to most infections. This is due to malware writers writing their malware, then naming them after a legitimate program or song/video. Also this is done by putting their malware inside legitimate programs, and key generating software/cracked software.


You can help the fight, report it at Malware Complaints
Stand Up and be Counted!

Some of your legitimate programs will leave .tmp files as they run. Clean these out regularly. Before running a scan is a good time.

Use the following and KEEP UPDATED


Check for updates at least WEEKLY **New Anti Virus and Firewall if you need to replace the ones you have only.
Antivirus: *Use only one*
AntiVir
AVAST! Anti-Virus

Needed Firewall: Monitors traffic IN and OUT Bound. Very Important. *Use only one*
Online Armor
Comodo Personal Firewall


A Realtime monitor : (Replaces Spybot)
Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.

SpywareBlaster


Java Updates: *Always remove old Java Before installing New Version*
Java Update

Test open Ports:
SheildsUp (follow the links to Shield's-Up!)


Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE


You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

**Please post back that you've read this and are clear to close this topic; or if there are any remaining issues.**

Thank you and safe , happy surfing :)

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 25th, 2010, 12:25 am

Hello odilon,

You are very welcome. :) Glad to have been of assistance and that all is well.

I'll wait till Sunday night before closing this topic, should you have questions about staying clean with my recommendations. Let me know if you are done sooner.

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 25th, 2010, 7:13 am

Hi Turtledove,

I'm getting on a 15 hour flight (NY to HK) today, so everything is a bit delayed. Do you think you could wait will Monday night? I don't anticipate any problems, but just in case.

Again thanks SO much for your help. :)

Odilon


turtledove wrote:Hello odilon,

You are very welcome. :) Glad to have been of assistance and that all is well.

I'll wait till Sunday night before closing this topic, should you have questions about staying clean with my recommendations. Let me know if you are done sooner.

Thank you

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 25th, 2010, 1:20 pm

Hello odilon,

Yes, I'll wait till Monday night, no problem.
Let me know of any issues or questions by Monday.
Have a safe flight. :)

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Elrond » June 30th, 2010, 12:41 pm

Odilon this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware