VIRUS; Please Help - Ran Through all help on forum 3 required files attached

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Swimace, Jan 29, 2007.

  1. Swimace

    Swimace Private E-2

    I ran through all the stages at:
    http://forums.majorgeeks.com/showthread.php?t=35407
    Thank you, very helpful, I ran through all the following settings twice,

    clean the system - there was nothing unfamiliar or that i didn't want in add remove programs to remove

    booted into safe mode:
    CCleaner
    SpyBot - Search & Destroy
    CounterSpy - clean on the 2nd scan.

    reboot into safemode with networking
    Bitdefender full scan - a few problems on 2nd scan - attached.

    The first time came up with quite a few errors, so I ran through the whole process again to see if it had cleared it up, the second time the process picked fewer errors, bit still this is a concern so the following files are attached as requested:

    GetRunKey log
    ShowNew Log
    HJT log

    These are from the 2nd scan of my system followed all exactly to the steps and in safe mode, the scans of the logs attached were done in normal boot mode.

    This is a large concern that something came up a second time as I have important work I cannot afford to lose. yes I have backed it up but still don't want to go through another re format, plus, like everyone, I don't want the junk on my pc lol

    Since the scans and selecting the 'normal boot mode' from services.msc The boot process is ok, but when Windows XP pro is loaded it takes AGES to start and load the programs into the task bar - My Soundblaster live mixer, the NTL netguard program (firewall & virus scanner) and counterspy (newly installed for the walkthrough) Also now it takes AGES to load a browser for the 1st time, after the 1st time its loaded it's ok.

    Things it seems to have helped is that dragging windows across the desktop doesn't leave a trail of windows like it did before (as if the refresh was slow) and also scrolling down through web pages seems to be a lot more responsive.

    I use NTL NETGUARD this is a free virus and firewall for ntl customers only I 'was' happy with its usage as it seemed to do a job and it was 'lite' as programs I have used before seem to take up all my systems resources and slow my system down. I don't want this from a decent virus scanner and firewall.

    I know there are programs listed on this site as recommendations but I would like some user feedback on what to use.

    I have a celeron 2.8ghz 2GB of ram a AGP x1600 Radeon card and 2 HDD
    1 partitioned with one half for the OS system - windows and program files
    the other half of the partition for games.

    the 2nd drive (D:\) is solely for downloads as I download a lot from a bit torrent client "Bit Comet".

    I have a third external 300GB HDD for video (films etc. and music only) only ever mp3 and video files on this.

    I would like a program that runs in the task bar and instantly catches any problematic files as soon as they are downloaded I surf the net LOADS and am connected 24/7 I also buy and sell a lot on eBay. I'd like a program that does not hinder web surfing or downloading and general system performance.

    I would like a secure firewall as with my current "NTL netguard" I am unsure it does anything, it shows it is active in the program itself and windows detects it as a working program but it is not really reviewed anywhere on the internet and the virus scanner has only ever come up with one virus once, and it DID NOT detect the viruses in my system at the moment.

    I'd love something that works well and will stop problems on my PC before they occur. I like the setting on it that I can block web adverts (the banners and ads just appear as a red square) and would like this in the alternative program as it seems to speed up web surfing.

    I connect to my 4mb/sec broadband via an RJ45 connection running to a D-Link 614+ router the router is connected to the NTL modem and there are 2 other pc's on the network, both connected via RJ45's the wireless setting on the router is disabled.

    As I said attached to this post are the files requested for a summary of my system:

    BDscan - safe mode BitDefender scan

    newfiles.txt - after running ShowNew.Bat in normal boot mode after 2nd full clean.

    runkeys.txt - after running GetRunKeys.Bat in normal boot mode after 2nd full clean.

    Please direct me if there is a virus on my pc, or if my pc is running ok and if it can be cleaned further, also what program/programs are best for me to use. (I don't mind paying)

    Regards,

    Olly
    (Swimace)
     

    Attached Files:

    Swimace, Jan 29, 2007
    #1
  2. Swimace

    Swimace Private E-2

    HJT log - done as instructed in the required format.

    attached.
     

    Attached Files:

    Swimace, Jan 29, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should have attached the first log from CounterSpy as requested so we could see what was found.

    Why didn't your run PandaActiveScan as requested in step 6?

    You also did not complete step 2 of the READ ME. At least not as instructed.

    I suggest that you cleanup all the garbage off your Desktop. You are making it too easy for malware to hide there!


    I have a bunch of questions for you !

    Did you just install this? http://www.microsoft.com/technet/sysinternals/FileAndDisk/PageDefrag.mspx

    I see it here:
    Code:
    "C:\WINDOWS\system32\"
pgdfgsvc.exe  29 Jan 2007       25992  "pgdfgsvc.exe"
    And do you know what the below is that was just recently installed:
    Code:
    "C:\WINDOWS\system32\"
thunk3~1.dll  29 Jan 2007         234  "thunk32-jgc.dll"
    Did you put all the below policy/restrictions in place yourself?

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\Olly Worthington\Local Settings\Application Data\Sunbelt Software
    C:\Program Files\CounterSpy

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10

    Make sure viewing of hidden files is enabled (per the tutorial).

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now reboot your PC into safe mode.


    Now locate the below folders and delete it if found:
    C:\Program Files\Common Files\{30366755-0AF6-2057-0728-05062006002c}
    C:\Program Files\Common Files\{E0366755-0AF6-2057-0728-05062006002c}
    C:\Program Files\Common Files\{E0366755-0AF6-2057-0728-050620060001}

    Also delete the below files
    C:\WINDOWS\system32\msnsc.exe
    D:\madeofeveryone.exe

    Now reboot in normal mode.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Tell me what malware problems you are having (if any exist)!
     
    Last edited: Jan 30, 2007
    chaslang, Jan 30, 2007
    #3
  4. Swimace

    Swimace Private E-2

    ok this was the ORIGINAL CounterSpy log Couldn't attach it?
    HERE:
    Spyware Scan Details
    Start Date: 29/01/2007 04:09:16
    End Date: 29/01/2007 05:54:06
    Total Time: 1 hrs 44 mins 50 secs
    Detected spyware

    Trojan-Downloader.Win32.Busky.gen Trojan Downloader more information...
    Status: Deleted

    Infected files detected
    c:\windows\system32\svchosts.lzma


    Maxifiles Adware (General) more information...
    Status: Quarantined

    Infected files detected
    c:\windows\system32\unsvchosts.lzma


    Trojan-Downloader.Win32.Agent.bca Trojan Downloader more information...
    Status: Deleted

    Infected files detected
    c:\windows\system32\svchosts.exe


    Trojan-Spy.Agent.204 Trojan more information...
    Status: Deleted

    Infected files detected
    c:\windows\system32\msnsc.exe


    Trojan-Downloader.Agent.794 Trojan Downloader more information...
    Status: Deleted

    Infected files detected
    c:\windows\system32\msvirtualcd.cpl
    C:\WINDOWS\system32\TweakUI.cpl


    The attached files were just done as requested in SAFE MODE,

    Yes I usually am so anal about my PC's directory settings, got lot on at the mo and left junk on the desktop, now sorted that out now.

    I didn't run panda scan as I thought it was either BD or PandaScan and PS didn't work the 1st time either.

    OK - hidden files are show and were shown before but NOT HIDDEN operating files, they are now shown - sorry about that.

    Yes I installed that MS program - I read in a forum it helps, i run it every so often.

    And no I do not know what this is "thunk32-jgc.dll" anything recently installed - last week or so is junk. Apart from 2 programs - Thunderbird 2.0 beta 2 and also Merlins InstantFeedback - leaves eBay feedback "on the fly" I use these all the time.

    Yes I put those policies in myself went through a step by step guide online securing my pc.

    Ok counter spy is now uninstalled, but what other programs can I use?

    J2SE is uninstalled - I thought when it updates it updated the program and didn't leave old junk on? Thanks for the great info :D happy about now knowing that.

    ok deleted the file on the D:\ but C:\WINDOWS\system32\msnsc.exe wasn't there??

    Did that attached files under safe mode as asked.

    The problems I am having:

    explorer.exe was taking up 100% of the cpu
    had to ctrl alt del and cancel the process then re load it through New Task cmd - explorer.exe

    But that problem just seemed to go before even i did any of these logs, i read on another forum it was .avi related and i did a fix they suggested and it seemed to work. It seems to have gone.

    The boot up takes a while and like I said when loading firefox for the 1st time it takes AGES to load, same with IE7

    Also the windows used to leave trails when being dragged around the desktop - although that no longer seems to happen.

    My pc just seemed under alot of "stress" ie low system resource sometimes.
     
    Swimace, Jan 30, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach anything and I asked for logs after booting in Normal Mode.

    The READ ME specifies to run both. Based on your newfiles.txt log Panda never even started. What problem are you having with it. Did you try now after uninstalling the old Sun Java version.


    Could the thun in thunk32 stand for Thunderbird? Look at file Properties and see who it belongs too.

    Enabling NoLowDiskSpaceChecks does nothing for securing your PC. It only stops Windows from telling you when your diskspace is getting low.

    CounterSpy was only a trial that would expire in 15 days. If you like it you can buy it. But some people do find it to be too resource hungry. But many new realtime protection programs are getting more resource hungry since the malware dilemma has grown tremendously. However you have an antispyware application from yout ntl Security Suite. It is probably Pest Patrol. My final steps will include a reference to this How to Protect yourself from malware!

    Sun's download pages has always stated to uninstall the old version and then install the new version.


    Firefox is always a little slow the first time loaded.

    I don't believe it is malware. We could run a further scan for rootkits but your problems may just be due what you run on your PC and how much RAM you have and other physical specs. For example I noticed ntl Netguard Security and also Windows Live OneCare safety scanner Does Windows Live Oncecare also have an antivirus and other malware protection tools in it..
     
    chaslang, Jan 30, 2007
    #5
  6. Swimace

    Swimace Private E-2

    The attached scans.
     

    Attached Files:

    Swimace, Jan 30, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I repeat! Logs must be from normal boot mode. Please attach a new HJT log from Normal boot mode. However, you appear to be clean thus far except for one folder than seems suspicious:
    Code:
    "C:\WINDOWS\system32\drivers\"
DISDN         17 Jan 2007              "disdn"
    Do you know what this folder is for? What do you see in the disdn folder?
     
    chaslang, Jan 30, 2007
    #7
  8. Swimace

    Swimace Private E-2

    Nothing the folder is empty?

    Also that .dll file seems to have nothing associated with it.

    I just removed that NTL firewall virus checker thing and have installed avast! Although it doesn't seem to run in the background, is this correct, do i just run it as and when I need it.

    I am also going to install Outpost firewall and Spyware blaster,

    Does this sound like a good set up?
     

    Attached Files:

    Swimace, Jan 30, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then delete it.

    Do you mean there is no Version tab under properties?

    Not completely! Have HJT fix the below line:
    O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl Netguard\RPS.exe"


    Not True! See the below listed in your HJT log:
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)


    What realtime antispyware blocker are you going to use?

    You did not answer my question about Windows Live OneCare safety scanner!

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Jan 30, 2007
    #9
  10. Swimace

    Swimace Private E-2

    Hi, I properly installed avast and thats a real time scanner, I also fully removed The NTL one I have Sygate firewall too.

    I installed that windows Live One care as it recommended it on a windows update, also MSN messenger recommended it.

    I have now removed it via add/remove programs.

    as for the .dll file it has no version number?

    also properties reads - Type of file: application extension

    Opens with: Unknown application
     
    Swimace, Jan 30, 2007
    #10
  11. Swimace

    Swimace Private E-2

    Swimace, Jan 30, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is only an antivirus application and I'm not talking about realtime scanning. I referring to realtime blocking of malware which an antispyware application (like Counter Spy, Spyware Doctor, Spy Sweeper, Pest Patrol, Windows Defender, Spyware Terminator.....etc) will do.

    That is not what I asked. I asked
    But since you uninstalled (which I would have done anyway) it does not matter..

    I did not ask about a version number. I asked about a Version tab which would be seen by right clicking on the file and selecting Properties. Is there or is there not a Version tab?
     
    chaslang, Jan 30, 2007
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This was not the name of your file and may have nothing to do with it.
     
    chaslang, Jan 30, 2007
    #13
  14. Swimace

    Swimace Private E-2

    true, i did the following though - rebooted, safe mode, renamed the .dll file, booted normal mode, no problems, and no changes?

    Must be ok without it.
     
    Swimace, Jan 30, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Maybe.....until you run the program that may need it. Or it may not be needed at all. Did you check Thunderbird?
     
    chaslang, Jan 30, 2007
    #15
  16. Swimace

    Swimace Private E-2

    yeah everything I need is fine, one slight thing I noticed I play Day of defeat online and it seemed a bit laggy? This AVAST?
    What can I do to help that out?
     
    Swimace, Jan 30, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure! It is possible. However you need an antivirus program to help you try and keep your PC clean. You could do a quick test of uninstalling Avast to see if it changes anything, but running without an antivirus is not an option you should use. You could try one of the other free antivirus programs too. AVG is highly recommended.
     
    Last edited: Jan 31, 2007
    chaslang, Jan 31, 2007
    #17
  18. Swimace

    Swimace Private E-2

    What do you think about NOD32? How do you rate that?
     
    Swimace, Jan 31, 2007
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is a good program, but it is not free. Whether it will impact your game playing any differently I cannot answer.
     
    chaslang, Jan 31, 2007
    #19
  20. Swimace

    Swimace Private E-2

    Thanks for your help, you're the man - Long gone are the days of cd\games\
    cls
    cd\

    lol

    Oh well, also I've got NOD32 - the trial - seems great (considering a purchase) and also got "Sygate" firewall - it's asking quite a few things to connect to the net, I've accepted the obvious; Firefox, Thunderbird, but some things I'm not sure of...

    NT KERNEL & SYSTEM

    Generic Host Processes for Win32 Services

    Aplication Layer Gateway Service

    For now i've blocked these and they can easily be unblocked but the computer is running fine? What could these be required to access the net for?


    Also anyway with Sygate I can block adverts on pages and also unwanted pages and images/adverts on pages.
     
    Swimace, Jan 31, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sometimes they require access for certain things. If you have them blocked and have no problems right now, that's fine. But some day you may do something else where they require access. Like maybe getting Windows Updates or similar. I actually don't like the way Sygate works. It is rather stupid when it comes to deciding what to do with various default Windows processes. ZoneAlarm takes care of these automatically. I allow all of these to have access!
     
    chaslang, Feb 1, 2007
    #21
  22. Swimace

    Swimace Private E-2

    so you use ZoneAlarm? I felt that it was taking over though last time I had it?
     
    Swimace, Feb 1, 2007
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I have no problems with it but everyone has different PC specs and runs different software. Thus what works for one may not work as well for another. I don't play any games so I may not have the same requirements as you. But what you do have to realize is that there is a hit to a PC's performance for every thing that you run. An antivirus, an antispyware, and a firewall will all impact overall performance. Without them; however, your impact may wind up being greater at some point when your PC does not run anymore due to malware taking control of it. Thus there are tradeoffs to be made on how much protection is important to you and how much playing your games is important to you. I find Zonealarm to be a more effective firewall than Sygate and that is partially the reason why it may impact your performance more. This logic applies to all tools that scan for malware too.
     
    chaslang, Feb 1, 2007
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds