Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

After infected PC has been 'cleaned"

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

After infected PC has been 'cleaned"

Unread postby JackRnl » September 29th, 2007, 2:49 pm

hi,

the PC of a friend of mine has been infected by quite a number of virusses, spyware and other malware software.
She's 11000 km away so i could only let HER perform tasks as she didn't want to reinstall nor me taking over control over her PC over the internet.

Spybot has been used but Adaware could not be installed.
A2SquareFree didn't install
NOD32 has been used to clean.
AVG had been installed but didn't work anymore.
Antivir wasn't able to install
SuperAntiSpyware has been used and still monitors het system.
VundoFix and EzulaFix have been applied
Using ProcessExplorer I didn't find anything suspicious at last inspection
StartUpControlPanel has been used to deactivate some progs
As PC was slow starting/shutting down I let her install UPHClean

It seems she still has problems installing some progs like LzArch and AAW32

A file on her cdisk named CHECK_LSA7.TXT exists but cannot be deleted as it seems to be in use.

Windows update has been performed JUST before HijackThis has been run
but as she had to go to bed we couldn't proceed today so I want to post the HiJackThis.Log to ask what (if any) suspicious entries still appear.

******* Start HiJackThis.log
Logfile of HijackThis v1.99.1
Scan saved at 12:02:09 AM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ZoneTick\zonetick.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\qxakxcpg.dll",sitypnow
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ZoneTick] C:\Program Files\ZoneTick\zonetick.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FA88016-CF0D-494F-9191-53DD6E56AFCA}: NameServer = 203.115.130.40 203.115.130.42
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

******* end HiJackThis.log

questions:
a) what about the 017 Nameserver entry ?
b) Searchindexer has been deactivated using StartupControlPanel (MLin) but appeared again. Is this the genuine MS-file? Do we need it anyway [how to turn it off]?

additional questions:
c) (O4) BigDog303, (O4) swg, (O12) Plugin for spop, (G23) gusvc do we really need them? how can we deactivate them?
d) I see a lot of entries for both Yahoo and MSN, especially (O18) Livecall and msnim I'm asking myself "what are they being used for, van it run without them"?
e) that file CHECK_LSA7 worries me. Is it a known file? If I use Unlocker to remove it would it harm system?
f) usnsvc.exe stays running even if MSN Messenger closed (and problems being reported see http://www.rage3d.com/board/showthread.php?t=33882353). How can I get rid of it?
g) lots of SQM files are being generated by MSN messenger. how can i prevent that?
h) Yserver seems to be running all the time, how can I avoid that

I know many are not directly related to removing malware, but I consider progs doing so many "extra" things apart from what actually the goal is they are being installed (like JUST chatting) to be a pain in the ass to say the least and as you are pro's i turn to you for advice on how to avoid those "extra" things.

thanks for any info
JackRnl
Active Member
 
Posts: 1
Joined: September 29th, 2007, 2:01 pm
Advertisement
Register to Remove

Unread postby IndiGenus » October 2nd, 2007, 12:16 pm

Hi JackRnl and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • NOTE:Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start, if possible.

I need to check any posts to you with a teacher/expert first so please be patient as we go through this.

------------------------------------------------------------------------------------

I need you to rename Hijackthis because I suspect that you may have the Vundo infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe:
  • Right-click on it, then select Rename.
  • Name it something like: FindVundo.exe (or whatever you want) - Just make sure to keep the .exe part.
  • Then double-click the renamed HJT to scan and then post the new logfile.

------------------------------------------------------------------------------------

We are going to use HJT to create a list of your currently installed programs.
    1. Open HijackThis and click on the Config... button in the "Other stuff" section (lower right hand corner).
    2. Click on the Misc Tools button.
    3. Click on the Open Uninstall Manager... button.
    4. Click on the Save list... button.
    5. Save the file uninstall_list.txt to a convinient location. This should open Notepad with the list.
    6. Please Copy and Paste the list into your next reply.


NOTE: I will address your questions after we have cleaned up as some of your questions will likely be answered just by cleaning up.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby IndiGenus » October 2nd, 2007, 2:48 pm

Download and Run ComboFix
  • Download this file from below:
    Here
  • Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
  • Then double click Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby IndiGenus » October 8th, 2007, 9:25 am

Hi,

Still need help here? Please let us know so we can close the thread if not.

Thanks,
Dave
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby askey127 » October 18th, 2007, 7:28 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 133 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware