Cleaning-Up

[gubhenheim]

Hello,

I am new to this website and from what i have read so far i think this is the place where i can get the most help.
Recently I got the xp-anti-virus program on my computer. With that my google links have been redirected, and the iexplore.exe process made its way on my computer. I've downloaded and used AVG, SuperAntiSpyware, Ad-aware, Spybot to clean up some found trojans and malware. I also obtained Avast, but have yet to use.

I have also used Malwarebytes and Hijack-This and provided the logs.
I wanna know if there is anything else i should do to make sure my system is clean and if there is any other advice or tips anyone can give me.

Thanks, the help is very very appreciated

View attachment 35500

View attachment 35501

 

[InsaneVr6]

You should be good if you used MalwareBytes to scan your computer and delete the files because the xp antivirus program is ALL Malware. I used it not too long ago on my other computer and there is not trace of anything wrong anywhere.

 

[gubhenheim]

back-door trojan?

Hey
Thank You, now i know im headed in the right direction.
However i am running into a snag, and this is open to anyone.
I have run some scans both in Regular start-up and in Safe Mode, but two registries are keep showing up. I am pretty sure these are back door trojans or some hack modified my system so that they are installed at every start-up

I've had some experience taking out a Vundo Trojan i had a while back, but this is totally out of my league.

Can anyone help me out?

THANK YOU!

 

[kimsland]

Wow a lot of "Desktop Messenger" in HJT Log

But a more concern is in the MBAM-Log
Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent) -> No action taken.

You needed to fix those entries, and also: O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\Mark Agor\xrt_uutq.exe in HJT

Actually try this also (I say also, because you need to do an updated Malware Scan again, and fix those registry entries)

Please do this
(Some members say they have already tried this in a reply; but later I find it has not been done!)
The following not only resets all Internet Explorer's settings, but also removes all temp files, all extensions are disabled (toolbars, browser extensions, and Browser Helper Objects), and activeX controls are restored.


How to use Reset Internet Explorer Settings (RIES

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.

 

[gubhenheim]

Updated Info

Ok,

As of now, the two backdoor items have been removed via Malwarebytes
and the reg hack has been fixed with HJT. How would i go around removing desktop messenger or is it fine as Is?

As for RIES, I use mozilla and therefore do not have IE7. Should I download this new version anyway?
I reset the settings via control panel, but i do not think it achieved the desired effect.
Anyway, I assume you would like to see the new report.

And Again, Thanks for the Help. THIS FORUM IS GREAT!

 

[kimsland]

Netware network

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Have a read here on that: http://www.pchell.com/support/nwprovau_dll_file.shtml


Please run HJT again, and place a CheckMark next to all the BWPlugProtocol entries (the lines begins with O18)
Then select Fix selected (Note there are many of them)

Restart, and post yet another HJT log as an attachment

 

[gubhenheim]

Re-scan complete

Cool,

Thanks for the heads up on the Netware Network. I'm not sure I understand all of the technical jargon, but I get the feeling I need to check if I am running it before i get of it. I want to check in "Network Connections" but i don't know where to look from there.

I deleted All of the 018 files and my system seeems to run fine.
After this whole event, should i worry a "cracker" is on my system, or if my laptop is a zombie?

 

[Richardw9]

Please do not use the word hacker, the term is cracker. Hackers are the good guys

 

[kimsland]

That looks a lot better :grinthumb

Now that nwprovau.dll file

I use the link, to the information, instead of just removing it, because I didn't knw if your network uses it or not.
But if you are on a Home computer without Network to other computers then it is safe to remove, here's how:

Download LSPFix
http://www.cexx.org/LSPFix.exe

Run it

Tick the box "I know what I'm doing"

Select (single click) on nwprovau.dll

Select the

arrows

Select Finish

Restart to confirm all is still Ok

 

[gubhenheim]

Netware

Regarding that nwprovau.dll,

I've checked my connection properties, and i'm pretty sure my laptop is running netware components.
I found: NWLink NetBios and NWLink IPX/SPX/NetBIOS Compatible Transport Protocal.
Both their description mentioned "NetWare networks."

I'll keep it in my system as long as I do not run into anymore problems.

Thanks 4 all the help