Did Step 1-6 but still Infected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by turk_cmr, Jan 7, 2006.

  1. turk_cmr

    turk_cmr Private E-2

    Hello,

    This is my first time here. I checked the posting and found the "Run me first" and did what what said. After the few hours (literally) that it took to do all the cleaning up, I ended up to still have some problems.

    I did the steps 1-6. I actually did and redid the cleaning a few times, but it always comes back.

    Microsoft Windows Malicious Software Removal Tool doesn't find anything.

    Ad-Aware SE fins one VX2 and a series of Coolwebsearch...

    Spybot Search & Destroy finds CooWebSearch...

    Microsoft Antispyware doesn't find anything.

    Bitdefender finds quite a few problems and deletes the files, as you can see in the log attached.

    Panda ActiveScan find one virus and two spywares, in its log as well

    I am wondering, since I have two accounts in my Windows XP, do I have to clean up in both accounts or is it automatically done for the whole computer? For instance, at one point I had recovered access to the initial page of Internet Explorer through one account, but not through the other. Eventually, the problem came back anyway, but I'm wondering if I shouldn't clean up in both accounts.

    Hopefully someone here can give me a hand to solve my problem.
     
    turk_cmr, Jan 7, 2006
    #1
  2. turk_cmr

    turk_cmr Private E-2

    Re: Did Step 1-6 but still Infected (with logs)

    I forgot to upload my logs. Sorry about that!
     

    Attached Files:

    turk_cmr, Jan 7, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Did Step 1-6 but still Infected (with logs)

    You have multiple firewalls running. Both TrendMicro and Sygate. Uninstall one. Also make sure you do not have the WinXP SP2 firewall enabled.
    It looks like you have components from an HSA hijacker. Have you run about:Buster. If not you should run it twice and save the log and post it here as an attachment.

    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {4B02E42A-B623-F767-2CF1-00AA0DD56907} - C:\WINDOWS\crrm.dll
    O2 - BHO: WndPosSch Source Editor - {634EFDE4-087D-4ce9-952F-63C9EEB2E0BF} - C:\WINDOWS\WNDPOS~1.DLL
    O2 - BHO: Class - {92901035-3C67-CBB1-A5B7-7E37E4223E5B} - C:\WINDOWS\system32\sdkdi32.dll
    O4 - HKLM\..\Run: [nteb.exe] C:\WINDOWS\nteb.exe
    O4 - HKLM\..\Run: [msok32.exe] C:\WINDOWS\system32\msok32.exe
    O4 - HKLM\..\Run: [d3fk32.exe] C:\WINDOWS\d3fk32.exe
    O4 - HKLM\..\Run: [winya32.exe] C:\WINDOWS\system32\winya32.exe
    O4 - HKLM\..\Run: [ntth.exe] C:\WINDOWS\system32\ntth.exe
    O4 - HKLM\..\Run: [addbh32.exe] C:\WINDOWS\system32\addbh32.exe
    O4 - HKLM\..\Run: [winni.exe] C:\WINDOWS\system32\winni.exe
    O4 - HKLM\..\Run: [mfcwk.exe] C:\WINDOWS\mfcwk.exe
    O4 - HKLM\..\Run: [sysfs32.exe] C:\WINDOWS\system32\sysfs32.exe

    You are downloading and using way to much stuff online. I have never seen so many junk O16 lines before. What is all this stuff? Is it games? Have HJT fix any of the below stuff that you do not recognize. I don't have time to try to verify all this stuff. If you don't know what it is, fix. It will just download again when you access the appropriate website (that is if you need it).
    O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK3 Control) - http://chbib.chb.co.kr/jscss/keystroke/SCSK_4.0.0.7.cab
    O16 - DPF: {3C6CF2B1-8422-4465-88A7-81CF295E6D4F} (ViperW Class) - http://lbs.nate.com/bin/web/control/maptopia.cab
    O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://www.benchbee.co.kr/Speedtest/sysinfo2.cab
    O16 - DPF: {40420525-6152-11D7-B52C-0000E839A1CB} (activeWEBcatalog.WEBcatalog) - http://www.wisecatalog.co.kr/WEBcatalog/activeWEBcatalog.CAB
    O16 - DPF: {43B464D9-7BAC-4110-81AF-90EA8502B97D} - http://plugin.netpia.com/oneclick/webmail/NetpiaPIOCX.ocx
    O16 - DPF: {45091AA2-1574-4EC8-B520-4C27E29CF889} (GifFreezerCtrl Class) - http://www.gmarket.co.kr/challenge/neo_goods/dlls/gifFreezer.cab
    O16 - DPF: {45CF5201-0E05-4514-A5CF-05BF0A71262A} - http://ssasex.com/img/sender.cab
    O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - http://mpi.dacom.net/XPayMPI/Xecure_LiveUpdate_XPayMPIOCX.cab
    O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab
    O16 - DPF: {5586077A-2041-4710-8F2E-0D5060D0378D} (Kdfense Control) - http://kings.cachenet.com/kdfx215/kdfense.cab
    O16 - DPF: {57BE93FE-5750-43C7-8614-D7CBC51693FE} (GuinBank Control) - http://www.guinbank.com/GuinBankX.cab
    O16 - DPF: {5AF23F72-BCB5-4E44-AD5B-E752973FB08C} (BankPayNewCtrl Control) - http://www.bankpay.or.kr/BankPayNew.cab
    O16 - DPF: {5E63815E-340D-47C2-BF56-E337F46CE57B} (NPkcWebInstall Control) - http://update.nprotect.net/sci/install/NPKCWebInstall.cab
    O16 - DPF: {60BA152D-B815-480B-AE9E-CC2B30023D8E} (Odo Control) - http://download.mgame.com/download/cab/wizgateplugin(notsign).ocx
    O16 - DPF: {62A859F8-F4A0-4C53-A02C-FE43199815C4} (PopdeskLauncher Class) - http://appupdate.popdesk.co.kr/files/download/PopdeskLauncher.cab
    O16 - DPF: {64D76536-0173-4873-AEC4-FF0A70DE3781} (BugsPlay Control) - http://tjap.bugsmusic.co.kr/setupfile/bugsplay_115.cab
    O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://so.bugs.co.kr/BugsOggPlay_9.CAB
    O16 - DPF: {672FD177-B140-4DCC-8614-926660D85292} (ISCPSASW Control) - http://iscu.dis.sholink.co.kr/sholink/iscu/ISCPSASW.cab
    O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://www.kookmincard.co.kr/initech/plugin/axINIplugin40.cab
    O16 - DPF: {6B565A08-592B-41D4-9468-7A3FEF58A4B0} (VirtualSetup Control) - http://www.cyberjls.com/help/VLABSetup/VirtualSetup.ocx
    O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://www.kookmincard.co.kr/images/sendmail/IniMasPlugin.cab
    O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.myipq.com/hosting/cibrowser/cibrowser_1_1_1_119.cab
    O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab
    O16 - DPF: {76247B71-343A-48C8-BC7E-8F32676D3FFB} - http://koreatender.dis.sholink.co.kr/sholink/koreatender/KRTPSASW.cab
    O16 - DPF: {79023D14-ED08-4739-8CEF-D4564BC4E3ED} (SQuery Control) - http://web.pagemoa.com/SQuery.cab
    O16 - DPF: {7A43F370-05A1-40E3-8C2F-FF83D0768D46} (dmcco Class) - http://cafefiles2.hanmail.net/dmcc.cab
    O16 - DPF: {7DFFF6A7-F62C-406F-9C19-6A3664611E5D} (ChatClient Class) - http://chat.bugsmusic.co.kr/Download/BugsAxCtrl.cab
    O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://img.kbstar.com/xecure/xw_install_v5463.cab
    O16 - DPF: {7FAB8081-EFAA-447B-B64D-8048C6D6914B} (Sundo_ZaolMapKTClient Control) - http://kr.traffic.yahoo.com/prop/map/Objects/Sundo_ZaolMapKTClient.1004.cab
    O16 - DPF: {87115337-60FA-4C80-882B-E87EA8838D2D} (MGAME Game Starter V8 Class) - http://download.mgame.com/download/cab/mgamev8.cab
    O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/iMBCContents.ocx
    O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
    O16 - DPF: {9B1489B1-58D3-11BD-B52D-0000E839A1CB} (activeWEBnewszine.WEBnewszine) - http://www.wisecatalog.co.kr/WEBnewszine/WEBnewszine.CAB
    O16 - DPF: {9C07B71A-EFC0-44D1-809F-8AD0FC7E338D} (Sundo_ZaolmapClient Control) - http://www.odsay.com/Objects/Sundo_ZaolmapClient.1086.cab
    O16 - DPF: {A3F9657A-976F-4719-B370-C6F765728C4B} (SecureSession Class) - http://www.dfsshilla.com/secui/client/SecuiDfsShillaIE.cab
    O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.cachenet.com/kdfx213/kdfense8.cab
    O16 - DPF: {A4BBD40E-CE6B-4028-9EA1-D509155DB6F5} (BMGiwsx Control) - http://www.rtouch.com/BlueMapViewer.cab
    O16 - DPF: {BACC7426-420C-4EDC-A1E6-8AF9B418290B} (ALDownX Control) - http://www.altools.co.kr/ALDownXControl.cab
    O16 - DPF: {BF22698D-3BED-4CB0-BA3A-64534FBC32B1} (SVWebPlayer Control) - http://www.seevideo.co.kr/pub/seevideo2002/SVWebPlayer.cab
    O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/bugsLoader20041018.cab
    O16 - DPF: {C19A422E-37E6-4044-86C5-92BD5E92B7B7} (PopLiveLauncher Class) - http://appupdate.popdesk.co.kr/files/poplive/PopLive.cab
    O16 - DPF: {C8EF71CC-3F2D-4854-95B5-7148D4830B31} (MGAME Game Starter V11 Class) - http://download.mgame.com/download/cab/mgamev11.cab
    O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://tjap.bugsmusic.co.kr/setupfile/SetGlb.cab
    O16 - DPF: {D44C7CBF-FB35-41CF-8D6C-C0A2143EB46C} (Yessign3 Control) - http://www.yessign.or.kr/yessignCert/yessign3.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/keycrypt/yescard2/npkcx_inca.cab
    O16 - DPF: {DBCEFBFE-B49D-4D6C-B024-FE1903C0366E} (XBTSessionManager Control) - http://login.bugsmusic.co.kr/reg/cab/XBTSessionManager.CAB
    O16 - DPF: {DF472C86-9DD8-46C4-86D3-4A861DE82650} (LiveUpdate Class) - http://www.seemedia.co.kr/products/lu/sm180/8/SMLiveUpdater.cab
    O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/CongnamulMap_V14.cab
    O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab?Version=1,0,0,21
    O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
    O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://kings.cachenet.com/kdfx215/kdfense9.cab
    O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
    O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} (WebCtl Class) - http://www.bccard.com/initech/plugin/INISafeWeb50.cab
    O16 - DPF: {F36BB72B-9876-4C6D-B22F-D68E480A39B5} (XFileUploadListDown.ListDownCTL) - http://www.blueyoyo.com/archives/XFileUpload/XFileUpload_OnlyOne.CAB
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O16 - DPF: {FD07AC3E-89BC-4EA5-AFCA-19AD8C6C896B} (ShellObj Class) - http://download.mgame.com/Webexe/webexe.cab

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\crrm.dll
    C:\WINDOWS\WNDPOS~1.DLL
    C:\WINDOWS\system32\sdkdi32.dll
    C:\WINDOWS\nteb.exe
    C:\WINDOWS\system32\msok32.exe
    C:\WINDOWS\d3fk32.exe
    C:\WINDOWS\system32\winya32.exe
    C:\WINDOWS\system32\ntth.exe
    C:\WINDOWS\system32\addbh32.exe
    C:\WINDOWS\system32\winni.exe
    C:\WINDOWS\mfcwk.exe
    C:\WINDOWS\system32\sysfs32.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jan 7, 2006
    #3
  4. turk_cmr

    turk_cmr Private E-2

    Thank you so much for taking time to help me out!

    Sorry, I realize I should have given you more information abot which system I'm running. I use Windows XP service pack 1, as it says when I boot in Safe Mode. I do have a CD for Service Pack 2, but I work in Korea now and my Windows XP is in Korean but not my CD for Serice Pack 2, which is in English. I was afraid to get problems if I were to patch/upgrade using a different language tahn the one already in my computer. I emailed Microsoft about it and they just told me that they would come back to me about it. When they did, it was to tell me they weren't sure but ask at another place, so I emailed again and they said I could try to phone somewhere... which I never did because I was fed up with all the trouble.

    Also, before I could read your answer, I had time to read further into the various postings and I downloaded AVG Free antivirus and used it a few times. It found some stuff and deleted some files.

    I wanted to get a newer version of Sygate Firewall because whenever I ran it, I couldn't see anything. When I wanted to install the new version, it uninstalled the current one I had. As for Trend Micro, I thouhgt I had deleted everything about PC-cillin, so it is just y mistake that I still have it. eventually, when I get rid of te virus/trojan problems, I will try to get rid of Trend Micro and reinstall Sygate.

    I had not tried about:Busdter, so I did it twice in normal mode and then I realised it should be done in safe mode, so I did it twice again.

    I deleted all my O16 stuff since you said it would download itself again whenever and if I needed that. I did FIX with HJT and everything was fine up to then.

    After, I booted in safe mode but I couldn't find any of those files you asked me to delete:
    C:\WINDOWS\crrm.dll
    C:\WINDOWS\WNDPOS~1.DLL
    C:\WINDOWS\system32\sdkdi32.dll
    C:\WINDOWS\nteb.exe
    C:\WINDOWS\system32\msok32.exe
    C:\WINDOWS\d3fk32.exe
    C:\WINDOWS\system32\winya32.exe
    C:\WINDOWS\system32\ntth.exe
    C:\WINDOWS\system32\addbh32.exe
    C:\WINDOWS\system32\winni.exe
    C:\WINDOWS\mfcwk.exe
    C:\WINDOWS\system32\sysfs32.exe

    I think the first one was deleted when I used the AVG FREE antivirus. There were two other files with similar names to the second one in your list (WndPos.dll and WndPosX.Dll) but since the spelling didn't match I didn't delete them. As for the others, none could be found. Could it be because I used the antivirus before reading your message?

    Then, the later steps were done and worked well.

    Everything I did, I did it in my account. What about the other account on my computer, do I have to repeat all this or it done for the computer all at once? Since Internet Explorer has different settings in different accounts, don't I have to clean up the other account separatedly?

    I'm sending the log from HJT. Is there anything else I should send you?
     

    Attached Files:

    turk_cmr, Jan 8, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Well you sort of made the wrong choice in saying you will dump PC-Cillin's firewall and get Sygate. Sygate actually no longer exists (Symantec bought them) and thus there will be no more updates for the free firewall. If you don't want to pay for PC-Cillin, use ZoneAlarmFree. You do need to get down to one firewall ASAP.

    Did you miss fixing the below? Try again:

    O2 - BHO: Class - {02D7883C-EE41-741A-AF0C-EF2477EE088F} - C:\WINDOWS\crvh32.dll (file missing)
    O2 - BHO: Class - {8D283F17-6393-2336-7062-61B53CA2D259} - C:\WINDOWS\system32\iejn32.dll (file missing)

    How are things working?

    Yes clean the other accounts. You do not need to run the online scanners in each account. Just run the other tools and make sure the accounts have no problems.
     
    chaslang, Jan 8, 2006
    #5
  6. turk_cmr

    turk_cmr Private E-2

    Hello again,

    I just removed the two other files you told me about, using HJT. I did miss them.

    So far, so good. IE is working fine (proper homepage and doesn't shut down) and I didn't get any more annoying pop-ups (yet!).

    I am going to clean up the other account now, repeating all the step except for the Internet scans. Should I send a HJT log from the other account?
     
    turk_cmr, Jan 8, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are we talking about only one more account? I so, yes attach that HJT log after you run all the other tools (except the online scans) on that account.
     
    chaslang, Jan 8, 2006
    #7
  8. turk_cmr

    turk_cmr Private E-2

    Hello,

    Yes, I have only one more account on my computer. I did all the necessary steps with the second account as I did with the first one, except for the Internet scans.

    I am sending the log from HJT.

    When I used the Ad-Aware SE with the second account, there were still 10 Coolwebsearch problems found.

    With HJT I deleted R3, which was the same as with the first account. I didn't touch anything else later on.

    Do you think I'm clean.. well, not me, my computer!? Is there a way to make sure, 100% sure?
     

    Attached Files:

    turk_cmr, Jan 8, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not clean yet! No there is no 100% way to be sure when a system is totally clean. We can run literally dozens of tools and keep finding miscellaneous items. Sometimes it is just a matter of how much scanning you want to do and whether the PC appears to be working okay. But note that even a PC that appears to be working okay can still be infected. Some infections are meant to hide from you. But the combination of running multiple scans (as in the READ ME) and looking at logs and then seeing how things are running is a pretty good measure.

    First look in Add/Remove programs and uninstall System Soap Pro if found.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\SYSTEM~1\soap.exe <--- Delete the whole SYSTEM~1 folder. I'm not sure what the exact full name expands to but the folder is probably System Soap Pro

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jan 8, 2006
    #9
  10. turk_cmr

    turk_cmr Private E-2

    I went to the Add/Remove programs, but didn't find "System Soap Pro"

    I ran HJT and FIXed the two lines you told me.

    By the way, in HJT, when I see that some lines say at the end (file missing), does it mean I could safely delete those as well?

    I booted into safe mode and used Windows Explorer to try to delete
    C:\Program Files\SYSTEM~1\soap.exe but I just couldn't find it, neither the SYSTEM~1 folder. I made a search on the computer using "*soap*.*" and found and few things. I don't know if I can do that here, but I saved a copy of my computer screen to show you the results of what I found. I called the file "Search for Soap.jpg".

    Then, I deleted everything in c:\windows\Prefetch and ran Ccleaner.

    I rebooted in normal mode and used HJT to get a log from that second account where I just finished working on, and also a log from my first account which was the first one we began cleaning up yesterday.

    One last thing, I used Ad-Aware, Spybot, About:Buster and the like and didn't find anything. So far, so good! I didn't use the Internet scans, though.

    You've got no idea how grateful I am to you for all the help you've been giving me. I don't know what I would've done without your help.
     

    Attached Files:

    turk_cmr, Jan 9, 2006
    #10
  11. turk_cmr

    turk_cmr Private E-2

    I forgot to specify that my HJT log A is for the first account, which we began cleaning yesterday, and the B log is for my second account, the one you asked me to delete the System Soap Pro today.
     
    turk_cmr, Jan 9, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! HJT has some bugs and sometimes show files missing when they are not. You should check to see if those files are really missing. Also if they are missing and they are for valid applications (like yours are) there could be problems with how the application is running. Something would be broken. We used to fix these lines. Now we ignore them unless the line is malware related.

    Your logs are clean. Are you having any other malware problems?

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jan 9, 2006
    #12
  13. turk_cmr

    turk_cmr Private E-2

    Hello and thank you!

    I disabled the restore sytem, rebooted and restored it. I scaned again with Ad-Aware, Spybot, AVG FREE, ... and found nothing! This is so great!

    About protecting my computer, after reading How to Protect yourself from malware!, I downloaded Zone Alarm Free but did not install it yet. I wanted to get rid of PC-cillin first and then install Zone Alarm Free. BUT...

    I thought I had deleted PC-cillin in the past, but when you checked my HJT logs, you pointed out that I was running two firewalls: PC-cillin and Sygate. I uninstalled Sygate, actually it happened when I downloaded the new version (I thought) from the link I followed in How to Protect yourself from malware!. After downloading Sygate, I executed the file to install it, but instead it uninstalled what I already had. Later, I tried to uninstall PC-cillin so I could install Zone Alarm, but it always blocks, possibly because it's in use? I don't know, because, like I explained in an earlier post, I am using a Korean version of Windows XP, and I will need someone to translate what message I get on my screen every time I try to delete PC-cillin. I checked on my desktop and there is no icon for it. I check in START and then in my programs and there is nothing about PC-cillin there either. There is a folder on my computer, though. Could I just simply delete the folder or would it be a bad choice?

    Do you know if that'd be ok to install my English version of Windows XP Service Pack 2, that I got from Microsoft on a CD, since the Windows XP Serice Pack 1 on my computer is in Korean?

    If I'm asking questions that should be addressed to a different forum, just let me know and I won't bother you anymore. You've already done so much for me. Thank you so much!
     
    turk_cmr, Jan 10, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If it is still appearing in Add/Remove programs, the proper thing to do is to uninstall it. You need to find out what the message is saying to you. It could just be a typical message checking to see if you really want to uninstall. Until you figure that out and get it uninstalled, you must not install ZoneAlarm. Just have ZoneAlarm downloaded and ready to install. Then when ready, unplug your cable to the internet and uninstall TrendMicro. Then reboot and install ZoneAlarm and plugin your cable to the internet afterwards.


    I don't know, I would think you would possibly need a complete reinstall which will cause loss of configuration info and you would need to reinstall all your other applications etc. Try asking in the Software Forum.
     
    chaslang, Jan 10, 2006
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds