Trojan....

Discussion in 'Malware Help (A Specialist Will Reply)' started by Amandalynn, Jan 29, 2006.

Page 1 of 2
  1. Amandalynn

    Amandalynn Private First Class

    I have run CCleaner, Ad-ware SE, Spybot, Microsoft AntiSpyware, Microsoft Malicious Software Removal, CwShredder, Kill2Me, Bitdefender, Panda I could NOT get to run, I have also followed the "special removal procedures," And the free scans in 'alternative scans'. Nortan Antivirus has been run as well.

    As you can imagine this computer is having several pop-up when internet explorer is used. I am also recieving a run error for the MFC42.DLL

    Here are all of my logs:
     

    Attached Files:

    Amandalynn, Jan 29, 2006
    #1
  2. Amandalynn

    Amandalynn Private First Class

    And here is my hijack this log
     

    Attached Files:

    Amandalynn, Jan 29, 2006
    #2
  3. Amandalynn

    Amandalynn Private First Class

    I am also un able to download any windows updates for this computer:

    Recieving a SL26F.tmp or SL403.tmp errors...
     
    Amandalynn, Jan 29, 2006
    #3
  4. Amandalynn

    Amandalynn Private First Class

    Nortan Log
     

    Attached Files:

    Amandalynn, Jan 29, 2006
    #4
  5. PhilliePhan

    PhilliePhan Guest

    Hi Amandalynn,

    You have a couple real nasties showing in your HJT log including a particularly vile Backdoor RBot - Though, I'm surprised your AV / Anti-spy apps didn't remove it . . . ..


    Here is the standard boilerplate warning for such baddies:

    You are strongly advised to do the following immediately:

    1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

    2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

    3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

    I don't know if this is still active on your machine, but you should be aware that it was/is there and take the appropriate action.


    Please hang in there for one of the regular MGs Malware Fighters to have a look.

    PP :)
     
    Last edited by a moderator: Jan 29, 2006
    PhilliePhan, Jan 29, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why are the below items from McAfee still installed when you are using Symantec?
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\j?vaw.exe
    C:\Program Files\nrpn\osoa.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {01A93844-DAF3-D826-D14B-A91854A49FCB} - C:\WINDOWS\System32\bwne.dll (file missing)
    O2 - BHO: (no name) - {3189B382-5D44-75E5-42B6-5AA05C89F39D} - C:\WINDOWS\System32\cdmpgl.dll (file missing)
    O2 - BHO: (no name) - {3189B383-5D35-02E9-42C0-21A02FF7F399} - C:\WINDOWS\System32\cdmpgl.dll (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {75BB1713-EBC4-D117-ABCB-F44404CAA4AE} - C:\WINDOWS\System32\ccfch.dll (file missing)
    O2 - BHO: (no name) - {8ECCBA1A-0BA9-0922-DB65-7EC5397747C7} - C:\WINDOWS\System32\czgse.dll (file missing)
    O2 - BHO: (no name) - {8ECCBA1B-0BD8-7E2E-DB13-05C54A0947C3} - C:\WINDOWS\System32\czgse.dll (file missing)
    O2 - BHO: (no name) - {8ED385C0-2A1E-1794-79C3-61FD6F620DA3} - C:\WINDOWS\System32\dognhz.dll (file missing)
    O2 - BHO: (no name) - {BEFEB5C1-075A-21A1-5486-59D02B242097} - C:\WINDOWS\System32\dognhz.dll (file missing)
    O2 - BHO: (no name) - {C19C7FEE-CB7F-E3D3-7744-C0A94CE95DC4} - C:\WINDOWS\System32\pjdf.dll (file missing)
    O2 - BHO: (no name) - {C8943821-C5AA-A02F-C63C-8E93794A48A5} - C:\WINDOWS\System32\wgbup.dll (file missing)
    O2 - BHO: (no name) - {D48B636F-DE89-8655-FBDB-F0BD2ED34F9B} - C:\WINDOWS\system32\gzendsc.dll (file missing)
    O2 - BHO: (no name) - {D5ED90A7-2C30-5DE2-6039-796235BF19C2} - C:\WINDOWS\system32\roerv.dll (file missing)
    O2 - BHO: (no name) - {D8C9EC18-0CA8-0F74-DB65-7EC5397745C0} - C:\WINDOWS\System32\szmdgisf.dll (file missing)
    O2 - BHO: (no name) - {F1B14FEF-E63B-D5E6-5A01-F88408AF70F0} - C:\WINDOWS\System32\pjdf.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [win] xwinxrpc32.exe
    O4 - HKLM\..\Run: [Microsoft upnp Update] msie.exe
    O4 - HKLM\..\RunServices: [win] xwinxrpc32.exe
    O4 - HKLM\..\RunServices: [Microsoft upnp Update] msie.exe
    O4 - HKCU\..\Run: [Eaovqnq] C:\WINDOWS\System32\j?vaw.exe
    O4 - HKCU\..\Run: [Ncao] "C:\Program Files\nrpn\osoa.exe" -vt ndrv

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    C:\Program Files\nrpn <--- the whole folder
    C:\WINDOWS\System32\xwinxrpc32.exe
    C:\WINDOWS\System32\msie.exe
    C:\WINDOWS\System32\bwne.dll
    C:\WINDOWS\System32\cdmpgl.dll
    C:\WINDOWS\System32\ccfch.dll
    C:\WINDOWS\System32\czgse.dll
    C:\WINDOWS\System32\dognhz.dll
    C:\WINDOWS\System32\pjdf.dll
    C:\WINDOWS\System32\wgbup.dll
    C:\WINDOWS\system32\gzendsc.dll
    C:\WINDOWS\system32\roerv.dll
    C:\WINDOWS\System32\szmdgisf.dll
    C:\WINDOWS\System32\pjdf.dll
    C:\MSBoot.BAT
    C:\WINDOWS\MSBoot.BAT
    C:\WINDOWS\System32\MSBoot.BAT <--- also search your PC for any other occurrences of this file and delete it.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jan 29, 2006
    #6
  7. Amandalynn

    Amandalynn Private First Class

    Argh what is the likelihood that this has infected other pcs on the network? >.< Time to yell at the pc. I will start working on that computer now and start running other scan on the three remaining pcs on our home network... what would be the best scan to run on the other pcs? My own computers seem to be fine but who knows.
     
    Amandalynn, Jan 30, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Anything is possible! If you had the other PCs well protected then maybe not. But the only way to be sure is to run ALL the cleaning steps on your other PCs. I would not start that until this one is clean. It is too difficult to work in these threads on more than one PC at a time. It just gets confusing.

    Just because something seems fine, it does not mean it is clean. Many aspects of malware purposely try to hide and do not want to impact how your PC works. That way, you will never look for them to remove them.
     
    chaslang, Jan 30, 2006
    #8
  9. Amandalynn

    Amandalynn Private First Class

    I ran nortan on all the other pcs so far they are looking good. but yeah one pc at a time

    I think i got this one heading down the right track. Here is a fresh log
     

    Attached Files:

    Amandalynn, Jan 30, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    How is this current PC working right now? I have a couple more things to check out/do.

    Use the steps in this thread Searching for Hidden Files on WinXP to search for userinit.exe and tell me everwhere you find it.
     
    chaslang, Jan 30, 2006
    #10
  11. Amandalynn

    Amandalynn Private First Class

    The location of userinit.exe was found at: (I am assuming you do not mean every registry file, setup information, text document it was mentioned in)

    USERINIT.exe -- C:\I386

    userinit.exe -- C:\Windows\$NtServicePackUninstall$

    userinit.exe -- C:\WINDOWS\SYSTEM32

    userinti.exe -- C:\Windows\ServicePackFiles\i386



    --------------------------------------------------------------------------
    As far as i can tell the sestem is running fine except errors on start up. The errors include:

    DSentry.exe-unable to locate component: This application has failed to start because MFC42.DLL was no tfound. Re-installing the application may fix this problem

    PCMSercices.ese--unable to locate component: This application has failed to start because MFC42.DLL was no tfound. Re-installing the application may fix this problem

    wlancfg5.exe-unable to locate component: This application has failed to start because MFC42.DLL was no tfound. Re-installing the application may fix this problem


    I am assuming i need to replace the missing dll file for all of these programs.

    As for prolong use of the computer, my roommate will inform me if it is acting funny. No one was allowed to use this particular machine once the infection was found so I am not sure of its over all performance.

    I do know that I am unable to run windows update on it. And I am currently working with Microsoft on the matter.
     
    Amandalynn, Feb 1, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is this a typo? Did you mean userinit.exe?


    Try downloading MFC42.DLL from http://www.dll-files.com/dllindex/dll-files.shtml?mfc42
    Put it in your C:\windows\system32 folder. It will be in a ZIP file and you will need to extract it into system32.

    Good luck with MS! :rolleyes: They do not have a very good track record of fixing these issues. The have a few knowledge base articles that fix only certain particular issues but I have not seen them fix any of the cases where people here say they cannot get updates.

    You could give one of out procedures a try. It may or may not help:

    Fixing Windows Update Problems (Win 2K and XP)
     
    chaslang, Feb 1, 2006
    #12
  13. Amandalynn

    Amandalynn Private First Class

    OMGooses.. okok i can't win. At any rate I will snag that pc back from my roomie (who i am sure is putting it under a huge stress test atm >.<) Follow the horrible directions from microsoft that I got for 'fixing' the update problem and get back to you in a day or so.

    HOWEVER, can you please direct me to the appropriate place to post a connectivity problem with the net.. the i can ping but can't browse ip or addy section.

    Next course of action is to monitor all roommates computer use because they are driving me nuts. Two thumbs way down for their computer skills >.< :mad:

    and as far as is that a typo? probably i am dislexic soooo wouldn't surprise me, all results came from a search of the userinit.exe file.
     
    Amandalynn, Feb 1, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We are not finished here yet! Did you put the MFC42.dll file on it yet? You need that file now!

    Also check to see if this file exists: C:\WINDOWS\System32\msiexec.exe
    Without it, you will have problems installing. If it does exist, what is the file size and also right click on it and select Properties. Then click the Version tab and see if Microsoft is the Company. Also get the Version number.

    This is the first time you mentioned you had a connectivity problem. Did you try using IP addresses instead of URLs? Did you flush your DNS cache>

    Let's continue fixing some problems too.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee Framework Service (or if not found look for the short name: McAfeeFramework) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    McAfee Framework Service

    If that does not work try entering the short name: McAfeeFramework

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    F2 - REG:system.ini: UserInit=userinit.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Program Files\Network Associates <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log.
    And tell us how things are working.

    Make sure you answer all questions!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 2, 2006
    #14
  15. Amandalynn

    Amandalynn Private First Class

    :eek: ok ok going to sneek in and get her machine eta of the completion of the list you just gave me about 45 mins.. maybe o_O lol I am on the job:cool:
     
    Amandalynn, Feb 2, 2006
    #15
  16. Amandalynn

    Amandalynn Private First Class

    Ok uploaded the .dll file -- no more start up errors.

    Tried your guy's windows update repair not sure about this part "In the command prompt window enter the below commands (including the quotes)
    regedit /E c:\hklmBUR.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup"

    Then upload as an attachment the c:\hklmBUR.txt file that was just created. We are looking to see if the FilesNotToBackup registry key exists. If not, we will have to create that key."

    I entered that into comand prompt, and looked to see if there was a file to upload but didn't find anything.. perhaps i typed it in wrong...
     
    Amandalynn, Feb 2, 2006
    #16
  17. Amandalynn

    Amandalynn Private First Class

    C:\WINDOWS\System32\msiexec.exe does not exist in system32 folder how ever I did locate msiexec.exe in: (note: it shows up as missing in the hijackthislog... lol i can't win)

    C:\I386
    C:\WINDOWS\$MSI31Uninstall_KB893803v2$
    C:\WINDOWS\ServicePackFiles\i386

    /sigh at this point reformating would have been a heck of a lot faster >.< but to far along to turn back now.. well maybe

    As far as internet connectivity well i thought it was an isolated incident connected to one pc but well i don't know whats going on but i think it is a TOTALY seperate issue so i made a seperate post:
    http://forums.majorgeeks.com/showthread.php?t=84395

    Did not see this file in the HijackThis log, continued on with the steps "O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"

    In safe mode:

    Followed all steps and added a deletion of cookies and offline webpages in mozilla

    Posting a new hijackthis log from her pc.

    One question: Does it matter what id is logged on when the hijackthis log is formed? I have an id on her pc that I use... She has a seperate one o_O just thought about that.... Sorry if this makes matter worse.
     
    Amandalynn, Feb 2, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you did it correctly, it means the registry key does not exist and it should so this could be a problem.

    Let's try the below!

    Download the attach GetRunKey.zip to your PC someplace you can locate it. Then extract all the files from the ZIP. Locate the getrunkey.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment.
     

    Attached Files:

    chaslang, Feb 2, 2006
    #18
  19. Amandalynn

    Amandalynn Private First Class

    Noticed a lot of missing button/links/file... blar! any way heres the hijackthislog.
     

    Attached Files:

    Amandalynn, Feb 2, 2006
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the msiexec.exe from C:\WINDOWS\ServicePackFiles\i386 into your system32 folder.

    Then reboot and see if updates work.

    Yes it does matter which user account is logged in. Each user account can be infected differently (or the same). But they each have their own registry entries and file structure.
     
    chaslang, Feb 2, 2006
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what you mean.
     
    chaslang, Feb 2, 2006
    #21
  22. Amandalynn

    Amandalynn Private First Class

    here you go...
     

    Attached Files:

    Amandalynn, Feb 2, 2006
    #22
  23. Amandalynn

    Amandalynn Private First Class

    For example: O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing
     
    Amandalynn, Feb 2, 2006
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did something wrong earlier in message # 16 because the below registry key does exist:

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup]

    It shows just fine in the runkeys.txt log.
     
    chaslang, Feb 2, 2006
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They have been like that all along. Don't get sidetracked!
     
    chaslang, Feb 2, 2006
    #25
  26. Amandalynn

    Amandalynn Private First Class

    ok going to reboot and see if windows update works..

    As for the different user accounts CCCCCCRRRRRAAAAPPPPP

    I hope you are in a different timezone than me cause if you aren't its getting late lol
     
    Amandalynn, Feb 2, 2006
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's 2:22 am here and it is time to get some sleep. :)
     
    chaslang, Feb 2, 2006
    #27
  28. Amandalynn

    Amandalynn Private First Class

    Ok i just got a soda.. so now i am ready to go.. anyway microsoft is currently installing Microsoft Windows Installer 3.1 and i am rebooting again.... omgooses make it stop o_O shall we continue tomorrow? Should i put my soda away? lol its 1:30 here but i will be glad to see this issue GONE forever!
     
    Amandalynn, Feb 2, 2006
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So this means we fixed your inability to download updates.....right? At least thus far!

    Time to hit the sack!
     
    chaslang, Feb 2, 2006
    #29
  30. Amandalynn

    Amandalynn Private First Class

    You know something, I would love to tell you we did, BUT we didn't.

    Heres the low down. It sticking on the instillation of:

    Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB886903)

    With an error of: SL8.tmp - common language runtime debugging services. Application has generated an exception that could not be handled.

    Process id=0xe1c, Thread id=0x4c0 (1216)

    Click ok to terminate the application
    Click CANCEL to debug the application


    Not sure what you want me to do here sooo i clicked ok... lol hope it was an ok choice.

    Last sucessful update was: Windows XP Microsoft .NET Framework 1.1 Service Pack 1

    My thoughts is maybe run Windows Installation Clean up...
     
    Amandalynn, Feb 2, 2006
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well before you could not even start to get updates!

    Did any updates download and install okay?

    Skip .NET Framework for now and get other updates if possible. Let me know the result. We our actually working on something that truly belongs on the Software Forun now.
     
    chaslang, Feb 2, 2006
    #31
  32. Amandalynn

    Amandalynn Private First Class

    Actually there is nothing else under the 'critical' updates that she needs to download. the rest are just language packs ect that she doesn't need
     
    Amandalynn, Feb 2, 2006
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well then it sounds like Windows Update has worked and that you just had an issue with .Net Framework. Does it still show in the updates list?

    If so, maybe you should just try it again (if you really need it - many people do not really need this). Make sure you shutdown all unnecessary applications before trying again. Perhaps even shutdown your antivrus application while updating.
     
    chaslang, Feb 2, 2006
    #33
  34. Amandalynn

    Amandalynn Private First Class

    You know I shut down everything the last time, and tried last night lol but looks like i got it.. perhaps she denied something on the firewall. Who knows. I am more or less just trying to get her system going full force so i can take a break from the residential pc care girl >.<

    Ok so back on track whats the next step?

    Window update is complete, it worked. So do i need to go back to the step i must have missed up in my caffeen craz last night? or move on?
     
    Amandalynn, Feb 2, 2006
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well since we have fixed the malware issues. The next steps are below. Note you already have step 1 from the link given below completed now since you have your updates.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Feb 2, 2006
    #35
  36. Amandalynn

    Amandalynn Private First Class

    ok starting that now. So my Hijackthislog is good and everything is fine.. you mean there is a light at the end of the tunnel?
     
    Amandalynn, Feb 2, 2006
    #36
  37. Amandalynn

    Amandalynn Private First Class

    System Restore disable/enabled -- done

    Windows update -- done

    Antivirus -- Nortan 2006 (primary) and Avast! Home Edition (downloaded but not active)--- done

    Firewall -- ZoneAlarm -- done

    CCleaner -- DOne

    Spyware -- most downloaded in the read before section -- Active Microsoft AntiSpyware

    Security Stting for Active X -- Done

    Mozzilla -- already running and useing

    Microsoft Java --> Sun -- when Entered "RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall" got an Error: Could not Locate INF file 'java.inf'
    Nor could i find
    The \%Systemroot%\Java folder
    The file java.PNF from the \%Systemroot%\inf folder
    The files jview.exe and wjview.exe from the \%Systemroot%\system32 folder
     
    Amandalynn, Feb 2, 2006
    #37
  38. Amandalynn

    Amandalynn Private First Class

    System Restore disable/enabled -- done

    Windows update -- done

    Antivirus -- Nortan 2006 (primary) and Avast! Home Edition (downloaded but not active)--- done

    Firewall -- ZoneAlarm -- done

    CCleaner -- DOne

    Spyware -- most downloaded in the read before section -- Active Microsoft AntiSpyware

    Security Stting for Active X -- Done

    Mozzilla -- already running and useing

    Microsoft Java --> Sun -- ran the utility then put the latest version of Sun on her system

    Read the rest and making her read it tonight.


    Now what about the multiple users on this machine? At this point I have been logged in as myself on her machine, no clue but she had created me an ID... I Is there a simple way to transfer her stuff over and delete her user account?

    Any thoughts?
     
    Amandalynn, Feb 2, 2006
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I hope you did mean download and not installed
    Do not install more than one antivirus!

    You probably already had it uninstalled. Do you get the lastest Sun Java installed? They are on Version 5.0 Update 6

    Also what version of FireFox are you using?
     
    chaslang, Feb 2, 2006
    #39
  40. Amandalynn

    Amandalynn Private First Class

    Right downloaded but not installed for the AV.

    Latest version of Sun installed... like downloaded it 5 mins ago latest

    Just got the recent update on firefox 1.5.0.1
     
    Amandalynn, Feb 2, 2006
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Great! Sounds like you are all done to me!
     
    chaslang, Feb 2, 2006
    #41
  42. Amandalynn

    Amandalynn Private First Class

    *grin* thanks.. so i do anything about the user accounts? There are three total >.<
     
    Amandalynn, Feb 2, 2006
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well to be safe, you should check them all. You can take two approaches

    1. Just login to each and make sure everything appears to work okay. This is not a good measure of whether the account is clean though.
    2. Run the cleaning steps (you don't need to do step 6 again though) for each account and truly make sure they are clean.
     
    chaslang, Feb 2, 2006
    #43
  44. Amandalynn

    Amandalynn Private First Class

    Ok sounds good.

    Thanks much ^_^ you guys are always the best!


    Amandalynn
     
    Amandalynn, Feb 2, 2006
    #44
  45. Amandalynn

    Amandalynn Private First Class

    *Grin* well logged on to the id i think might have been the 'source' or in other words her sister.. (where i think the problem started)

    Microsoft Anti Spyware already detected a trojan... Going to start at the beging and work my way down >.< whosh will update you when i get all ids checked
     
    Amandalynn, Feb 2, 2006
    #45
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! But if you get to the point of attaching HJT logs! Let's only do one at a time until clean and then move on to the next.
     
    chaslang, Feb 2, 2006
    #46
  47. Amandalynn

    Amandalynn Private First Class

    All i can say is someone owes everyone a dinner and a drink after this one...

    but yeah will do one at a time... Btw if its on one profile can it go to the next, ie the one we just cleaned?

    And do you want new thread for each 'account'?
     
    Amandalynn, Feb 2, 2006
    #47
  48. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Certain types of malware could spread to other accounts. That is part of the reason for cleaning all accounts and not just one.

    No you can just stay in this thread. Let's just be clear which account we are working on. So from now on use the name of the account in each message. That way it will be clear when we change to the other account.
     
    chaslang, Feb 2, 2006
    #48
  49. Amandalynn

    Amandalynn Private First Class

    One quick question? Should I be running all these scans INSIDE each ID or in safe mode again... I don't know where my head is but I have been doing them Inside each id... >.<
     
    Amandalynn, Feb 3, 2006
    #49
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If the user accounts are not admin accounts you must run them in normal boot mode because you cannot access them in safe mode? If they have admin priviledges then run them in safe mode.

    An alternative is to change the accounts to admin accounts while you work on them and then change them back later.
     
    chaslang, Feb 3, 2006
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds