Gitting rid of a bad Trojan

I would like to know what you would do to get rid of a bad Trojan I used everythin on my other older system AVG8.0,Lavssoft,Spybot and I did a Tend micro online scan insafe mode.

This is on my older system with windows XPSP2 as I was trying to upgrade to sP3 bu this won't let it also is affecting me from burning cds.I want to move some files over from one to another system and I need my cd burner working.what are your seggestion?Thank

what do you think of this.

Trojan

Give Stinger a try. it is a small program that can detect and eliminate many common trojans.

The trojan also can't mask itself, because stinger doesn't use standard anti virus based removal. Give it a shot and see how it works.

http://vil.nai.com/VIL/stinger/

If Rahja the Thief will permit my intervention, I would be more than happy to assist you if you provided a HijackThis log. If not, please disregard the following text.


Please download HijackThis from here.

Save it to a permanent folder (such as C:\HJT).


Next, open HijackThis, and select Do a system scan and save a logfile.

A Notepad document will open. Please post the contents of that document.

-screen317

^ his method will work to. And Screen, I never mind people posting helpful stuff. Welcome to the tech forum.

From what I've heard Hijackthis is probably the best way to get rid of nasty things, though it requires some "professional" help.

I've always wondered what these people do with the logs, do they just Google for all the .exe's running and see if they're harmfull? Sounds dull...

Welcome to Guru, and Tech Corner in particular, screen317. Are you capable of deciphering HijackThis logs? If so, stick around - having someone like you aboard will be most welcome

Oh, and I should point out a limitation of this forum. There is a size restriction of 19.5KB for a .txt file. An unofficial workaround is to rename the file from .txt to .doc, because, bizarrely, you can have a potentially lethal, macro-filled .doc file of up to 488.3KB. Go figure ^^

I have downloaded stinger and ran it seemed pretty fine then I ran Spybot agian and the trojan came up 2 infact.Here is my HiJack this report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:51 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [pre][Steam][/pre] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 4498 bytes

You are infected with a variant of the Cozit worm.

See that getright.exe program? Get rid of that immediately. You want to make sure that it is totally cleared from the system. The version you downloaded included the Cozit worm. That was immediately apparent.

Hello,

Not quite... I trained extensively for a year and a half to learn about the many intricacies of malware in all of its horrific facets.


Yes, see tidbit above.

I graduated from SpywareInfo's Boot Camp a year ago, was promoted to Trusted Advisor in January 2008, and promoted to Expert in June 2008. Hope my qualifications are adequate. See my profile if any sort of proof is required: http://www.spywareinfoforum.com/inde...showuser=74524

I will be more than happy to stick around.

Unfortunately though, I'm leaving on Tuesday for a month to vacation in my home country (Croatia); I'll be without Internet access, but I'll certainly help here upon my return.



As for this user..

Rahja the Thief is correct in saying GetRight is an undesired program (it's a download manager). Previous versions bundled spyware; not sure where this report of the Cozit worm came from though. Either way Age, please uninstall it.


Next, Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Also... Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u7.
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• In the pull down menu next to Platform select Windows
• Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u7-windowsi586-p.exe to install the newest version.

Restart your computer, and post a fresh HijackThis log. Let me know what problems remain.


-screen317

Edit: I guess BBCode color isn't supported??

I assume the Kaspersky online scanner only works with IE, hence the instruction to use it? Damn, one of the few things in existance to force you to use the damn thing! I don't care how improved IE is, once bitten; twice shy!

Oh, and yes - color has been disabled in the BBcode in this forum. I assume the site admins wanted to avoid having an unsightly rainbow of threads (I know these people: It would happen ^^)

Off topic: Glad Screen is here. Looks like we have another awesome resource in the forum arsenal.

Anyway, that's the main reason I don't use (well, if I ever had occasion to) HijackThis. But that should take care of the problem.

Here isa copy of the report I could not scan it but I can if I rescan later on.I unintalled GetRight and deleted the installer No more Get Rights for me.

Here is the report/


Monday, July 21, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 21, 2008 06:42:41
Records in database: 979645
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
Scan statistics
Files scanned 130824
Threat name 4
Infected objects 8
Suspicious objects 0
Duration of the scan 05:23:06

File name Threat name Threats count
C:\Downloads\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
C:\Downloads\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1787\A0358299.msi Infected: not-a-virus:FraudTool.Win32.SpywareStop.bb 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1787\A0358299.msi Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.fn 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1788\A0358304.rbf Infected: not-a-virus:FraudTool.Win32.SpywareStop.bb 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1788\A0358305.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.fn 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1790\A0360702.exe Infected: not-a-virus:FraudTool.Win32.SpywareStop.bb 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1790\A0360702.exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.fn 1
The selected area was scanned.

Have you run the built in Windows Malicious Removal Tool?

Start > Run > mrt.exe
Do a full scan.

No.I have not is that how you use it?

Yes, it is. You should also update to SP3.

You should also run NOD32's online scanner: http://www.eset.com/onlinescan/

If you really want to do a thorough check on your computer, snag my LunarDownloader and get the Professional package. Under Links, click PC Maintenance for a comprehensive guide to help you clean your computer.

I will wait untill screen sees the report.I can not update to Windows XPSP3 because of this and lunar downloader there is something wrong with the links I tried that yesterday.

I need to move my ISP cable over to my other computer to update it and it is where I now play GWS on not this one although it still has it on it.

The reports say you are infected in your System Restore, which can easily be cleaned. The reported WinVNC "virus" is a false positive and is not any threat.

Start > Run > rstrui.exe
Create a new restore point.

Next, Start > Run > cleanmgr.exe
More Options tab.
At the bottom, System Restore. Click Clean up...

You can try to get LunarDownloader from BetaNews. You can also get it from Softpedia.

I also highly recommend uninstalling Internet Download Accelerator. Those things never work and are more trouble than they're worth.

I was hoping not to do that yet I want to burn some files to a cd and transfer them over to my other computer.I amy have to get a usb memory stick.

Doing as instructed will not hurt you in any way. It may help resolve the issues you're experiencing.

I agree with Tarun's suggestions.

It also works with Firefox' IETab Addon...


Age, are you experiencing any actual problems? If so, please state them with a fair bit of detail. Malware does not appear to be on this computer.

-screen317

The only problems I can't do is update to service packs 3 and use my cd rewriter as well my system restore only goes back to June.I can do what Tarun suggest execpt at this point is do any downloading as I am on my other computer atm I can that tommorow.

What download accelerator I uninstalled getright and deleted the intaller and did a disk clean.

Where do I find this file as I can just type it in the start>run>box?

Cozit is a low priority worm that came with GetRight at one point. It is more a spyware then a worm, but the way it functions forces classification of it as a worm.

I must have an older version of XP because I can't type in those .exe commands in the run>start.This is what this person has said.

This bad file

You could give Dial-a-fix a shot, and if you can, run LSPFix too.

http://wiki.lunarsoft.net/wiki/Dial-a-fix
http://cexx.org for LSPFix

Ok, whatever you do, PLEASE UNINSTALL THAT VERSION OF VNC IMMEDIATELY!!!. The version you have is vulnerable to a security exploit that lets people into your PC and they can do literally anything to it when they are in. You need any version of VNC that is newer than 4.1.1 in order to keep from getting re-hacked.

We had lots of problems with this at my work for a while. Upgraded everyone's VNC and the problem went away. Until that damn flash exploit last month, anyways.

Speaking of which, go to C:\windows\system32\macromed\flash and make sure you have a file in there called flash9f.ocx - if you have flash9e.ocx or anything else, you have a version of flash player that is a cootie's best friend and will win you lots of malware just from browsing the internet. To update your flash, you can just run the FlashUtil9.exe file in the same folder to update your flash. If your flash is really ancient, there might be an exe named GetFlash.exe sitting there instead, run that.

I know I still have to that get rid of VNC and I have updated to the new version of flash atleast i should have.This is what I have done so far I updated to Spybot S&D 1.8 from 1.4 and Lavasoft Adware 2008 from 2007.I was getting 2 Trojan on with Spybot 1.4.

What I like to get rid of is the file No. 10 as Hi Jack this can't do it and it says go to this site and I get 404 error or use S&D which I did and it is still there..This my latest report btw.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:12 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 3728 bytes

I am redownloading XPSP3 and will do that lunarsownloader another day if this doesn't work out to well.I need my ISP cable on my good newer PC.

<font color="blue">Generated by Tarun of Lunarsoft's HijackThis Converter v0.53 Beta.</font>

Default-color items are optional, red are known to be malicious.

Changed registry value
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Created extra registry value where only one should be
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Enumeration of suspicious auto-loading registry entries
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

Broken Internet access. To fix these you will need LSPFix
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Downloaded Program Files item
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

Aside from needing SP3, you should also update to IE7 for added security.

I know about No.10 as well as the rest of those and thanks for that tool.To get rid of them.Thanks

Ooh, a HJT log analyser!

Is that usable by bog standard end users to any extent? Or does it still require deep down knowledge of HJT?

Is it available?

Okay now.... :E

You can fix this:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

And these you can fix if you dont need them:
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
They are no viruses.

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll DONT FIX THIS! It's legit...

Go to www.bleepingcomputer.com or www.malwareremoval.com and go to malware removal school and then you'll learn how to use hijackthis..

Btw, spybot search & destroy and ad-aware are both just so useless, i'd rather use malwarebytes anti-malware...

HJT is a awsome program but can be harmful to your system. In this instance you can turn into your own worst enemy.

There is no school, that I have ever heard of, that offers a malware removal course. There are however many online lists of HJT log files. ALWAYS compare a few lists to be more positive.

ad-aware se and spybot s&d are indusrty TRUSTED programs. There are many other programs available, some even put malware on your computer for you, isn't that nice.

www.malwareremoval.com
www.geekstogo.com
www.bleepingcomputer.com

Above me you can see few links to malware removal schools(you have to search from the a lil to find it). I'm actually studying at malwareremoval, and I have gratuated from www.virustorjunta.fi (finnish malware-removal site) as a Virus Expert.

zamil, ad-aware and spybot s&d are total bull****. If you download rogue programs from the internet it's your own fault. Use trusted programs, always research if you find a new one. Like Malwarebytes Anti-Malware and online scanners.

Don't play with hjt if you aren't 100% SURE that you know what you are doing.. Even the biggest experst make mistakes these days, and it can ruin your whole computer.

Spybot still does an outstanding job.

Websites that train you don't mean much in my opinion, real world experience is much more valuable.

What I really need to be doing to get xpsp3 installed is this.
http://support.microsoft.com/kb/949377

I still can't get my cd writer to work though and I don't use that often that is hardware.




It would seem no 10 is legit but I like the fact that web based school tells you to use tool bars where most malaware resides itself.

LOL then you're wrong, after about six to twelwe months at www.malwareremoval.com, you'll be able to remove all kinds of nasties with all kinds of 'cool' programs. You'll not learn that in the 'real world experience'

Real world experience= you try, you fail. At school it's no harm if you fail, at real situation it can really cost you.

If I'm wrong, can you prove it? I'd like to see how I'm wrong about this.

Real world experience is far more valuable than any "forum training" because you actually deal with the malware yourself. You do much more than just sit there and say "Oh run this scanner and download this" with your pre-typed segment of text. My experience dealing with malware and other computer problems more than quadrupled because of my tech job. You can diagnose and solve problems faster and better with real world experience. Ever heard of the malware Elite Toolbar? Back when it was new a few years ago there were no scanners that detected it. HijackThis would have a couple items of it listed, but aside from that there was no detections for it at all. Due to real world experience you can easily navigate to the directory and remove all of the malware elements.

You won't learn that with real world experience? Really? Have you tried? Because if you had then you would know good and well that the experience from the real world takes you farther, and you can remove malware better and faster. Real world experience takes you beyond looking at a HijackThis log and pasting your pre-typed text from your "school" forums.

These forum "schools" simply tell you to look for certain things in HijackThis. They don't help you to clearly identify any of the symptoms that a user reports. Real world experience lets you look at the entire system. You feel the symtpoms, see them with your own eyes. You can handle things from Safe Mode, track the paths of malware and remove them by hand if any scanner or tool fails.

To say Spybot is useless is uneducated at best. While I'm not saying you use one program to kill all malware, I am saying that you need more than one and quite often Spybot will find traces that other scanners do not find. While Spybot is not the first I run it's usually last due to the slow speed, though with 1.6 it has improved. It's true Spybot could be better, but it is not useless.

You shouldn't "need" all of these "cool programs" just to remove malware. It's ludicrous at how many scanners people think they need to remove the infections. Oh but wait, running all five of these scanners didn't work so now we have to make the user run this tool which can potentially damage the system. Combofix is a prime example, where it destroyed system32 directories because of a rootkit infection. Who was it that instructed them to run it? Those who "graduate" from these malware removal "schools" and then act like they're technicians with experience, when they are self-appointed technicians and nothing more. Now don't get me wrong, some of them are very nice and helpful people (such as screen317), but many get over-inflated egos and believe they are experts.

I wonder why you pretty much duplicated what I had already posted for Age's log? Was there any purpose? None that I can see, except maybe a +1 to your post count. It gets messy when many types of people try to clean and diagnose these issues. If someone is already being helped, leaving them to the technician assisting them is best. If something is overlooked, sure; go ahead and point it out, otherwise let the technicians already assisting the user handle it.

samba93, if you want to continue this discussion, PM me or start another thread. This thread is not where it belongs.

<hr />
Age, sorry that your post has been driven off topic by a few. I wish I could help clean this thread up so Age has one thing to focus on, and not have to be concerned about other posts. If it continues, we can handle any unnecessary posts.

If you need any more help, let us know. The Technicians are here to help you!

Tarun

Just a question on an entry you pointed out

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe


I read about a virus masking this entry on Bleeping Computers and Major Geeks, but it did not go into detail on how to tell if it is legit or the virus. Do you know of anyway to check?

The entry was in my logs as well.

Have the user upload it to Jotti and VirusTotal is one way. If you're on the client machine you can do the same, or check the file itself manually.

http://www.sysinfo.org/startuplist.p...eroFilterCheck

I pointed it out mainly because it's not needed. I believe StartUpLite also recommends removing it.

It is ok I still believe in spybot as most use it and is highly recommended more than others.It is good to check for newer versions every few months.

I tried lunardownloader worked good and didn't take to long to do a scan it cleaned up somethings but my older pc is still messed up.It can't use both A and D drive and read from them as well.I am going to have to do file transfer wizzard and then do a windows recovery.

Those 2 trojons did a lot of damage.