View Full Version : Laptop infected
Little Oscar
2007-05-02, 19:25
Hi - thanks for looking at this! I have an older laptop (Win2000) that got infected. I ran AVG and it cleaned out 80+ infections. I was concerned when I got a pop-up stating that there were items were embedded in files and that the whole file would be quarrantined if selected. I didn't on the first scan but did on the next scans. There are 3 different AVG scan reports included and the HJT.
With the infections, I could not connect to the internet and kept getting a dial up box with an unknown ph# to connect with. Now, I am having trouble connecting to the internet (MSN9 dial-up) and running the Trend Micro anti-virus. I uninstalled both and tried to re-install. The MSN software hangs up when it is dialing the modem. I checked the modem and it is working properly. It was working properly before the infection as well.
With the Trend Micro, I uninstalled the 2006 vers and attempted to install the 2007. It appears to only partially install and there are several pop-ups saying that there are files that cannot open and will shut down. I queried some of them on the net and they pertain to TM. I also had to uninstall SpyBot before I could try to install Tm.
I don't know if there's still some infection or virus or if I just totally screwed up trying to fix things on my own. Would you review the reports and provide some guidance? Thank you!
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:28:50 PM 04/29/2007
+ Scan result:
C:\dnmc10.exe/tr.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\0d9.exe/dsl.exe -> Downloader.Adload.j : Cleaned with backup (quarantined).
C:\dk9.exe/sl.exe -> Downloader.Adload.j : Cleaned with backup (quarantined).
::Report end
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:47:41 PM 04/28/2007
+ Scan result:
C:\dnmc10.exe/tr.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\0d9.exe/dsl.exe -> Downloader.Adload.j : Cleaned with backup (quarantined).
C:\dk9.exe/sl.exe -> Downloader.Adload.j : Cleaned with backup (quarantined).
::Report end
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:01:04 AM 04/29/2007
+ Scan result:
HKU\S-1-5-21-1960408961-1383384898-1957994488-1000\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\WINNT\inet20004\3.00.13.dll -> Adware.Ihbo : Cleaned with backup (quarantined).
C:\WINNT\inet20004\3.01.00.dll -> Adware.Ihbo : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\55.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\dnmc10.exe/tr.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\i66.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\tr.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\winmc0.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\0d9.exe/dsl.exe -> Downloader.Adload.j : Cleaned with backup (quarantined).
C:\dk9.exe/sl.exe -> Downloader.Adload.j : Cleaned with backup (quarantined).
C:\WINNT\system32\vxh8jkdq2.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 9:17:36 PM, on 5/1/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
C:\WINNT\winlogon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://nettools.usps.gov/proxy.pac
F3 - REG:win.ini: run=C:\WINNT\inet20004\winlogon.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE" /minimized
O4 - HKCU\..\Run: [System] C:\WINNT\winlogon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: msupdate - C:\WINNT\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: prxsvc - {7240FB1F-BCF7-4773-AC1A-4EFE254393FD} - prxsvc.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINNT\system32\dfrgfat32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
pskelley
2007-05-04, 13:14
Welcome to the forum, and sorry to be the bearer of bad news. You have some very bad infections. There is a Vundo infection indicated by this file: msupdate32.dll
But my major concern are these backdoor trojans:
C:\WINNT\winlogon.exe
F3 - REG:win.ini: run=C:\WINNT\inet20004\winlogon.exe
O4 - HKCU\..\Run: [System] C:\WINNT\winlogon.exe
http://www.greatis.com/appdata/d/Windows/i/inet20004_winlogon.exe.htm
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINNT\system32\dfrgfat32.exe (file missing)
http://www.castlecops.com/O23.html
Defragmentation Management Handler (FAT
Defragmentation) X dfrgfat32.exe Added by the W32/Codbot-AB WORM! Note: This worm\trojan file is found in the System32 folder.
http://www.sophos.com/virusinfo/analyses/w32codbotab.html
In light of this information and for your safety and security I need to post this information for you.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Please let us know what you have decided to do in your next post.
Thanks
Little Oscar
2007-05-04, 15:45
Thank you for the info and for responding so quickly. The laptop will be used for surfing, personal email and Itunes for about 18 months and then will be replaced. I feel that disinfection will suffice in this case. Thanks for helping - what should I do first?
pskelley
2007-05-04, 15:58
Please read and follow the directions carefully, this is your best chance for success.
Thanks to andymanchesta and anyone else who helped with the fix.
1) Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
(Hold those reports and logs until the end of the instructions)
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Thanks to Atribune and any others who helped with this fix.
2) Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Post the Vundofix.txt, the Report.txt from SDFix and a new HJT log. There will be more to do.
Thanks
Little Oscar
2007-05-07, 19:39
OK - here are two of the reports. I ran the VundoFix 5 times and none produced any results. All stated that there were no infections found.
SDFix: Version 1.82
Run by Julie - Sun 05/06/2007 - 20:35:34.33
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\DOCUME~1\Julie\Desktop\SDFix
Safe Mode:
Checking Services:
Name:
Windows Overlay Components
ImagePath:
C:\WINNT\bntmhlu.exe
Windows Overlay Components - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINNT\SYSTEM32\MSCONF.EXE - Deleted
C:\WINNT\inet20004\mm.pid - Deleted
C:\Documents and Settings\Julie\Application Data\Install.dat - Deleted
C:\WINNT\system32\i - Deleted
C:\WINNT\system32\qvxgamet3.exe - Deleted
C:\WINNT\system32\svcp.csv - Deleted
C:\WINNT\system32\vx.tll - Deleted
C:\WINNT\system32\winsub.xml - Deleted
C:\WINNT\winlogon.exe - Deleted
Folder C:\WINNT\inet20004 - Removed
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINNT\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINNT\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Remaining Files:
---------------
Backups Folder: - C:\DOCUME~1\Julie\Desktop\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\WINNT\system\svchost.dll
C:\Program Files\InterActual\InterActual Player\iti6.tmp
Finished
___________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 10:33:51 PM, on 5/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
C:\Documents and Settings\Julie\My Documents\HJT apps\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://nettools.usps.gov/proxy.pac
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: msupdate - C:\WINNT\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: prxsvc - {7240FB1F-BCF7-4773-AC1A-4EFE254393FD} - prxsvc.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINNT\system32\dfrgfat32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Thanks. . . .
pskelley
2007-05-07, 20:32
Thanks for returning your information and the feedback. Please follow the directions carefully.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
4) Disable the Service
Click Start > Run and type services.msc
Scroll down to Defragmentation Management Handler and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
5) Delete the Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (FAT Defragmentation) and press OK.
OK any prompts, close HijackThis, and restart your computer.
6) How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINNT\SYSTEM32\msupdate32.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some items may be gone, just don't miss any)
O20 - Winlogon Notify: msupdate - C:\WINNT\SYSTEM32\msupdate32.dll
O21 - SSODL: prxsvc - {7240FB1F-BCF7-4773-AC1A-4EFE254393FD} - prxsvc.dll (file missing)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINNT\system32\dfrgfat32.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
8) RIGHT Click on Start then click on Explore. Locate and delete these items:
(may be gone)
C:\WINNT\SYSTEM32\msupdate32.dll <<< delete that file
C:\WINNT\system32\dfrgfat32.exe <<< delete that file
9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log, let me know how the computer is running.
Thanks
Little Oscar
2007-05-09, 05:38
I got as far as step 5. I typed in "(FAT Defragmentation)" - without quotes - and got a box stating that it was not in the registry. Should I continue on to step 6?
pskelley
2007-05-09, 13:10
Yes, finish the rest of the instructions.
Thanks
Little Oscar
2007-05-10, 15:58
Finished the instructions. Here's the new HJT report. If all looks OK, I will attempt to load Trend Micro and MSN9.
Logfile of HijackThis v1.99.1
Scan saved at 10:02:49 PM, on 5/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Julie\My Documents\HJT apps\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://nettools.usps.gov/proxy.pac
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
pskelley
2007-05-10, 16:18
Thanks for returning your information, I need to know if you are removing items from the HJT log or using a whitelist to have them removed? Your log does not look like it is complete?
If you are not removing anything, then do this:
1) I see no anti-virus program running on this computer, it is cyber-suicide to go online without one. If you need a free one, this is a good free program:
http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5
DO NOT be confused between this antivirus program and the AVG Anti-Spyware program you are running. They are NOT the same and they do two different jobs.
(sorry, I missed what your said about Trend, you need to get something installed, you should NOT be online without an antivirus program and a firewall. I also suggest a good Spyware program, if the AVG Anti-Spyware program is only a trial, let me know and I will suggest a free program if you wish)
2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
3) Use these instructions to run AVG Anti-Spyware and delete or at least quarantine anything it finds. Post the scan results and if all is well, you will be good to go.
http://forums.security-central.us/showthread.php?t=3165
Thanks
Little Oscar
2007-05-10, 20:43
I know what you mean about HJT not looking complete. I don't have a white list - just do the HJT scan and checked items to be fixed.
Regarding step 2 - not sure I understand because of the plural use of "...these line items" - Should O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) be checked also?
pskelley
2007-05-10, 22:41
Thanks for that information and just check and remove the one item with HJT. It is just a dead line, you already remove the file.
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
Thanks
pskelley
2007-05-14, 13:58
Have these issues been resolved? If not, I am waiting for the results of the AVG Anti-Spyware scan:
3) Use these instructions to run AVG Anti-Spyware and delete or at least quarantine anything it finds. Post the scan results and if all is well, you will be good to go.
http://forums.security-central.us/showthread.php?t=3165Please add a new HJT to log to that, run the log after AVG is complete and you have done a restart.
Thanks
Little Oscar
2007-05-14, 14:53
Sorry that it's taking me so long. I loaded the anti-virus and MSN9. I updated SpyBot & Ad-aware and ran the scans. I downloaded 60 MS updates. I forgot to update AVG & scan! I will do that and post it & HJT later today.
Little Oscar
2007-05-15, 05:36
OK - here are the reports:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:13:38 PM 5/14/2007
+ Scan result:
C:\WINNT\system32\dofcpr.dll -> Backdoor.Agent.tx : Cleaned.
C:\Documents and Settings\Julie\Cookies\julie@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Julie\Cookies\julie@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Julie\Cookies\julie@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Julie\Cookies\julie@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Julie\Cookies\julie@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Julie\Cookies\julie@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 9:16:49 PM, on 5/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Julie\My Documents\HJT apps\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://nettools.usps.gov/proxy.pac
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178944957091
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178988077165
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
Thanks for your patience!
pskelley
2007-05-16, 15:19
Oops sorry:sad: I did not get notified when you posted. AVG looks good and the HJT log is clean:bigthumb: How's the computer running?
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Little Oscar
2007-05-19, 06:39
I think it's OK now. Start up and reboot is much slower, but programs are opening and net browsing are reasonable.
Thank you for all your help! I appreciate it SO much! And, thanks for all the great info too!
pskelley
2007-05-19, 13:21
Thanks for the feedback, let me add some information, and some may repeat, that may help with the issues you report:
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
I've had these links a while, but something in them may also help:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471
I also suggest a free diagnostic, and you can get that here:
http://www.pcpitstop.com/
Help with results: http://pcpitstop.invisionzone.com/index.php?showforum=6
Tutorial: http://www.pcpitstop.com/techexpress/howto1.asp
If you link me to the test results, I may spot something to help.
Thanks...Phil
pskelley
2007-05-21, 16:33
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks