TechSpot

8 steps done logs attached

By joshuamays
Jan 20, 2010
  1. Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That's a lot of Adware! I suggest you look in Add/Remove Programs and see if you have any of these entries- if you do, uninstall them:

    Zango,
    Hotbar,
    Softomate,
    ShopperReports,
    Seekmo, and
    Hotbar Weather


    If you uninstall any of these: Using Windows Explorer> navigate to My Cpomputer> double click on Local Drive (C)> Programs> do a right click> delete on any of the programs folders for those you removed.
    Close Explorer.

    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    Rescan with Malwarebytes.
    Attach both logs to next reply.
     
  3. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    something still isnt right

    didnt see any toolbar addons or anything to that extent to remove. i did download ePSXe 1.7.0. then i downloaded a bunch of roms for it. <-- when the trouble started (virus related and slowing the speed of my pc)

    what next?
     

    Attached Files:

  4. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    mbam log

    forgot to post the new mbam log. ran malware again after sdfix.
     

    Attached Files:

  5. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    So are you running okay now?
     
  6. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    pc is still running very slowly. boot time has drastically increased. as well as time it takes open/close programs and loading an internet page. i lag while runing pc games now.
     
  7. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Check your hard drive for errors...
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Josh, please do the following:

    Please download OTMovit by Old Timer and save to your desktop.

    Go the the Control Panel> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide protected system files-Recommended'> Apply> OK
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Program Files\InterActual\InterActual Player\iti83.tmp"
      C:\Documents and Settings\Masta J\Desktop\SDFix\dummy.sys 
      C:\Documents and Settings\Masta J\Desktop\SDFix\apps\dummy.sys 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    When you have finished, run this online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Rehide the files and folders.

    Follow with rescan with HijackThis.

    Please attach the OTMoveIt report, the Eset log and the new HJT log to your next reply.

    Please advise of any malware related problems at that point. IF the logs are clean, I'll have you remove the cleaning tools and old restore points..

    I will give you some pointers that will help prevent some of the malware.

    Tmagic, please refrain from making replies on this thread.
     
  9. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    update info on ESET

    in order to run ESET NOD32 i need to setup a proxy server. im unsure exactly how to go about it. i need help setting up a proxy server for firefox 3.6. never used a proxy server before.
    i posted the "help setup proxy server for firefox 3.6" thread at:

    http://www.techspot.com/vb/topic141895.html

    nvm i got it figured out
     
  10. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    last 3 logs

    no signs of virus or malware that i notice. however my pc is still bogged down at a slow speed.
     

    Attached Files:

  11. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Start by checking the hard drive for errors, then check memory. You may have corrupted Windows files too. An XP repair may help
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Josh, please run the following: I couldn't get the download link to work, so just click on the Goored Fix link on the page to download

    Part 1 - The Scan
    • Please download GooredFix From this site: http://forums.majorgeeks.com/showthread.php?t=182559 and save it to your Desktop.
    • Double-click Goored.exe to run it.
      [o] Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
      [o] A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
    • Please attach the Goored.txt log to your next reply
    • Note: Do not run Option #2 yet until I tell you to do so.
    ------------------------------------------------------------
    You do have malware. I'm leaving the entries for you to see, but hopefully they will be removed- so don't do anything with them:
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll gutodayo.dll c:\windows\system32\tawagifi.dll
    O21 - SSODL: fodowumor - {4df0615b-fe47-4c98-b3ed-40b595d3e979} - c:\windows\system32\tawagifi.dll
    O22 - SharedTaskScheduler: jugezatag - {4df0615b-fe47-4c98-b3ed-40b595d3e979} - c:\windows\system32\tawagifi.dll

    Question: are you deliberately using this program? Is this why you needed the proxy?
    R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll

    It is a legitimate program.
     
  13. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    ran CHKDSK. HD is ok. Ran 4 simultaneous Memtest at 727MB each checking 550%+ of RAM. RAM is ok.

    Goored not prompting for any option 1. I tried manually clicking on the prompt and typing 1 and pressing enter, but it didnt work. Only option is to scan and remove.

    as for the ESET online antivirus. i implied instructions as asked. the proxy was needed to in order to run it (that is, after hitting "start" at the top of the window it would eventually read "Unable to detect proxy" or something to that extent). then i was given the option to configure the proxy. i updated firefox and am currently running 3.6. tried running ESET again after and it worked fine w/o prompting me to input IP username/pass for proxy.
     

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Part 2 - Goored The Fix

    You should print these instructions because all FireFox browsers MUST be closed before running the fix.
    • Please double-click Goored.exe on your Desktop to run it.

      • [o] Select 2. Fix Goored by typing 2 and pressing Enter.
        [o] Make sure all instances of Firefox are closed at this point.
        [o] Type y at the prompt and press Enter again.
        [o] A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
    • Now rerun FireFox and please attach the new Goored.txt log to your next reply

    Are the malware related problems resolved? I'll clear you for that. But 'slow' is something you will need to pursue in the Windows OS forum.
     
  15. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    thx for the help. didnt seem like anything changed after running goored though.
     

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Josh, this is your description of the problem:
    Later you added this:
    And finally this:
    The Eset online scan is clean. You have a lot of unnecessary processes running in the background. I suggest you take them off of the Startup menu and put any related Services on Manual.
    You are running the following:
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE


    Try taking them off of Startup and see if you notice a difference.

    To remove the clenaing tools:
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    IF the slow system continues, I suggest you move over to the Windows OS forum for more help.
     
  17. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    how do i turn a program off of the starting menu? i know how to end process in task manager, but what exactly do i do to prevent any certain program from automatically running at startup?

    Pc is still running slow. OS thread has been posted at http://www.techspot.com/vb/topic142063.html

    thx again for ur time. feel free to jump on the next thread :)
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Here you are: this is almost spooky because I just set this up for someone else!

    Ending the process in the Task Manager isn't a good idea and isn't going to do anything except stop it until you reboot.
    This is easiest to do in Safe Mode: you will stay in Safe Mode until you reboot at the end. Here's each step:

    NOTE: I'm using C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE as an example below because I wanted to give you the path for a related Service.. But the same path and process can be used for any program. I wanted you to understand where to look and what to do.

    • [1].Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      [2]. Take off Startup:
    • Start> Run> type in msconfig>enter> Selective Startup> Startup menu>
    • Uncheck any process you don't want to start on boot>
    • when finished with all the unchecking[/B]> click on Apply> OK
      (Example: you decide you don't need this to start on boot: C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE so you Uncheck EasySaver

      [3]. Uninstall a program:
    • Start> Settings> Control Panel> Add/Remove Programs> uninstall here> Close
      (But you don't want to uninstall the EasySaver so you leave it- you can start it as needed)

      [4]. Remove program folder (only if program is uninstalled)
    • Access Windows Explorer:[/B] Right click on Start> Explore:
    • Open My Computer> double click on Local Drive (C)> Programs
    • Find the folder for any program you uninstalled> do a right click> Delete on each folder.
    • Close Windows Explorer.
      (And you didn't uninstall C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE so you don't delete the folder)

      [5]. Change Service Startup type
    • Start> Run> type in services.msc
    • double click the Service> Change the Startup type as follows:
      [o]For a Service related to a program you will use as needed but does no start on boot> Manual
      [o]For a Service related to a program you have uninstalled> Disable Startup type> stop Service
    • Close Services.
    (Example:C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[/b] has a Service that will start it automatically, but you want to change that: so you find this in the Services and double-click:Change Automatic to Manual)

    Reboot the computer back into Normal Mode: NOTE: the first time you reboot after using msconfig, you get a nag message that you can ignore and close after checking 'don show this message again.' Stay in Selective Startup.

    Summary:

    • [1]. Boot into Safe Mode first.
      [2]. Uncheck the process on the Start menu to stop the process from starting on boot.
      [3]. uninstall any program or app you don't need or use,
      [4]..Remove the program folder if you uninstalled the program.
      [5]. Change any associated Service to either Disabled or Manual Startup.
     
  19. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    k done deal thx again
     
  20. joshuamays

    joshuamays TS Enthusiast Topic Starter Posts: 137

    oh dear commodo is finding trojans and im quarentining them. is it possible theres still stuff left? or is this new? ive only logged on techspot and other pages linked to this site since the fix.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Josh, as far as I can see, you are using the Comodo firewall and Avira antivirus.

    A firewall doesn't "find" Trojans. A firewall listens to incoming ports and outgoing ports if bi-directional (think of 'ports' as doors to your house and the house is the system) and blocks site that attempt to access certain ports or using a protocol that is not allowed. On the other hand, specific ports need to be 'open' to allow normal internet traffic.

    Can you explain what you are seeing for
    A firewall doesn't have you quarantine anything. Depending on how you have it configured, it will ask if you want the IP to access your system. If you do not, you have the firewall block it. And a two-way firewall like Comodo also 'listens' at outgoing ports for anything on your system that wants internet access.

    Even this doesn't mean the IP is a Trojan. It could be that the firewall isn't configured correctly to allow normal internet traffic either out or in. Ir can be that the firewall is just doing it's job- but I need a better description of what you are seeing.

    EDIT: By the way, Cmdagent.exe is a Comodo Firewall process that causes high CPU usage.
    (Your entry is C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...