Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please check my HJT log as I want to apply for the uni...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Please check my HJT log as I want to apply for the uni...

Unread postby Axephilic » March 31st, 2009, 12:01 am

I have some info on Conficker for you. :)

http://blogs.technet.com/msrc/archive/2 ... ker-d.aspx
http://securitygarden.blogspot.com/2009 ... puter.html

Congratulations, you are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them. If after 48 hours you have not responded to this, then I will assume you have no questions and have the topic closed.

First, lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update


Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

I also recommend, if it's not already on, to enable Automatic updates. It will notify you whenever there are new updates available. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US
Advertisement
Register to Remove

Re: Please check my HJT log as I want to apply for the uni...

Unread postby jamestaylor » March 31st, 2009, 9:39 am

Axephilic wrote:Congratulations, you are now all clean!


Wow - thank you. Thats great news. Less worries about conficker now. BBC has now reported about the 1st april thing.

Anyway, thank you. Just scanned with spybot S&D an its found some spyware so just got rid of that.

In your si, I see you were in the MW Uni. I applied the same day I made the original post in the thread - ill I need to re-apply in the future to try and get in or will they just contact me? Also, am I allowed to apply to another MW Uni or is it against the rules (I have no interest in joining 2, but want to increase my chances of joining 1). DO you have any tips about getting in as well?

Thank you,
James.
jamestaylor
Regular Member
 
Posts: 23
Joined: March 9th, 2009, 9:41 pm

Re: Please check my HJT log as I want to apply for the uni...

Unread postby Axephilic » March 31st, 2009, 11:55 am

Anyway, thank you. Just scanned with spybot S&D an its found some spyware so just got rid of that.

What did it find? Can you be more specific.

Yes, I recently graduated from the uni. If they have not yet contacted you, an admin will in the near future. It can take a few weeks during peak periods. I don't recommend applying at another uni until you have heard back from this one. My best tip is to just be patient and they will get to you. :)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Please check my HJT log as I want to apply for the uni...

Unread postby jamestaylor » March 31st, 2009, 12:54 pm

Axephilic wrote:
Anyway, thank you. Just scanned with spybot S&D an its found some spyware so just got rid of that.

What did it find? Can you be more specific.


31.03.2009 13:59:02 - ##### check started #####
31.03.2009 13:59:02 - ### Version: 1.6.2
31.03.2009 13:59:02 - ### Date: 31/03/2009 01:59:02 PM
31.03.2009 13:59:05 - ##### checking bots #####
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk System Service
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk System Service
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk System Service
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk Settings
31.03.2009 14:04:40 - found: Win32.TDSS.rtk System Service
31.03.2009 14:05:51 - found: MyRegistryCleaner Settings
31.03.2009 14:07:39 - found: MegaUploadToolbar Executable
31.03.2009 14:07:39 - found: MegaUploadToolbar Program directory
31.03.2009 14:07:40 - found: MegaUploadToolbar Executable
31.03.2009 14:07:40 - found: MegaUploadToolbar Executable
31.03.2009 14:07:40 - found: MegaUploadToolbar Data
31.03.2009 14:07:40 - found: MegaUploadToolbar Data
31.03.2009 14:07:40 - found: MegaUploadToolbar Program directory
31.03.2009 14:31:08 - found: AdRevolver Tracking cookie (Internet Explorer: James)
31.03.2009 14:31:08 - found: DoubleClick Tracking cookie (Internet Explorer: James)
31.03.2009 14:31:08 - found: Statcounter Tracking cookie (Internet Explorer: James)
31.03.2009 14:31:08 - found: Right Media Tracking cookie (Internet Explorer: James)
31.03.2009 14:31:08 - found: BurstMedia Tracking cookie (Internet Explorer: James)
31.03.2009 14:31:08 - found: Adviva Tracking cookie (Internet Explorer: James)
31.03.2009 14:31:09 - found: FastClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: DoubleClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: AdRevolver Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: AdRevolver Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: AdRevolver Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: AdRevolver Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: AdRevolver Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: DoubleClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: MediaPlex Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: MediaPlex Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: FastClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: FastClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: FastClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: CasaleMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: HitBox Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: HitBox Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: HitBox Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Adviva Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: BurstMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: BurstMedia Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: FastClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: FastClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: FastClick Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: AdRevolver Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: MediaPlex Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: WebTrends live Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: AdRevolver Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: AdRevolver Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - found: Zedo Tracking cookie (Chrome: Chrome)
31.03.2009 14:31:09 - ##### check finished #####
jamestaylor
Regular Member
 
Posts: 23
Joined: March 9th, 2009, 9:41 pm

Re: Please check my HJT log as I want to apply for the uni...

Unread postby Axephilic » March 31st, 2009, 4:22 pm

I'm no longer 100% sure that you are all clean and would like to see one more log.

Run GMER
Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on gmer.exe to run it.
  7. Select the Rootkit tab.
  8. On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  9. Select all drives that are connected to your system to be scanned.
  10. Click on the Scan button.
  11. When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  12. Open Notepad or a similar text editor.
  13. Paste the clipboard contents into the text editor.
  14. Save the Gmer scan log and post it in your next reply.
  15. Close Gmer.
  16. Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  17. In Command Prompt, type in net stop gmer. Press Enter.
  18. Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

Please post the GMER log and a new hijackthis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Please check my HJT log as I want to apply for the uni...

Unread postby jamestaylor » March 31st, 2009, 6:06 pm

oh... Here you go: (also, when going into command prompt, I got this message:

Command prompt wrote:System error 1060 has occurred.

The Specified service does not exist as an installed service.


GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-31 23:00:07
Windows 6.0.6001 Service Pack 1


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1788] kernel32.dll!SetUnhandledExceptionFilter 75B26E2D 4 Bytes [C2, 04, 00, 00]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2392] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [03A22F20] C:\Windows\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2392] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [03A22CF0] C:\Windows\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2392] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [03A22C90] C:\Windows\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2392] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [03A22CC0] C:\Windows\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\tdx \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@UDN uuid:ca0a6bb2-5bb9-4974-8fb7-69293bbbb3c0
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@SerialNumber {9F5E51BD-887B-4F88-8324-28AFBAFBD24C}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@FriendlyName james-pc
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@ModelName Windows Media Player
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@ModelNumber 11
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@Description Windows Media Player Renderer
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@ModelURL http://www.microsoft.com/windows/windowsmedia
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@ManufacturerURL http://www.microsoft.com/
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@Manufacturer Microsoft
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@NetworkInterface {D8932E52-6A6F-11DB-B6AB-806E6F6E6963}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00@IconFileName C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\00-00-00-00-00-00.png
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\MAC Access Control\S-1-5-21-2119908331-4203043047-2055449669-1000@00-00-00-00-00-00 0
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\MAC Access Control\S-1-5-21-2119908331-4203043047-2055449669-1001@00-00-00-00-00-00 0
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\MAC Access Control\S-1-5-21-2119908331-4203043047-2055449669-1002@00-00-00-00-00-00 0

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\LogFiles\HTTPERR\httperr1.log (size mismatch) 19438/19123 bytes
File C:\Windows\System32\LogFiles\Scm\SCM.EVM (size mismatch) 360448/327680 bytes
File C:\Windows\System32\wfp\wfpdiag.etl (size mismatch) 65536/0 bytes

---- EOF - GMER 1.0.15 ----
jamestaylor
Regular Member
 
Posts: 23
Joined: March 9th, 2009, 9:41 pm

Re: Please check my HJT log as I want to apply for the uni...

Unread postby Axephilic » March 31st, 2009, 7:25 pm

Ok, I wouldn't worry too much about that error.

I will now go back to considering you all clean. :) There was some remnants of a TDSS infection but since ComboFix and GMER both come out clean then I don't think it is present anymore.

Please let me know if you have any questions otherwise I will have this topic archived. :)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Please check my HJT log as I want to apply for the uni...

Unread postby jamestaylor » March 31st, 2009, 7:57 pm

well thats good news. Thank you.

I think thats it then. f my PC is clean, I better hope I can get into the MW Uni. in the meantime, im off to bed.

Thank you, and good night :cheers:
jamestaylor
Regular Member
 
Posts: 23
Joined: March 9th, 2009, 9:41 pm

Re: Please check my HJT log as I want to apply for the uni...

Unread postby Axephilic » March 31st, 2009, 7:58 pm

Your welcome and good luck. :)
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Please check my HJT log as I want to apply for the uni...

Unread postby NonSuch » March 31st, 2009, 8:10 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 279 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware