Hijackthis log

[Martini]

I recently acquired the Sagipsul virus and the Spyware Guard 2008 virus, and I'm pretty sure I got rid of them with Malwarebytes' Anti-Malware and SUPERAntiSpyware. Just to make sure I have nothing else, I'd appreciate it if someone could check out my HJT log.

Going through the steps on the "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions."

Installed Avira. Ran a scan and removed the infections. Log file attached.

Installed Comodo Firewall.

Ran CCleaner three times with browsers closed- everything checked except "Old prefetch Data."

Disabled real time monitoring programs.

Ran Malwarebytes full scan and attached log.

Scanned with Superantispyware and attached log.

Updated Java and uninstalled older versions.

Ran HJT and saved log.

 

[Bobbye]

Well, SAS shows you made om trips to Limewire, so you must have closed the gate after the horse got out!
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O20 - AppInit_DLLs: ptoqch.dll qjhxgd.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
Any processes for the Ask toolbar

Control Panel> Add/Remove Programs> UNINSTALL any Ask Toolbar entries.

Right click on Start> Explore> Windows > System32> right click> delete any of the following files if found:

ptoqch.dll
qjhxgd.dll

Reboot into Normal Mode: NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

These two files can be related to the Comodo firewall
Guard32.
Cssdll32.
But these two are unidentifiable:
ptoqch.dll
qjhxgd.dll
And this Cssdll32.dll can be a Trojan/Backdoor.
So the string is invalid, which is why you'll remove it:

Run a new scan with HijackThis log and attach on next post. We'll see how the 020 entry displays.

 

[Martini]

Thanks for the help.

Well, SAS shows you made om trips to Limewire, so you must have closed the gate after the horse got out!
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O20 - AppInit_DLLs: ptoqch.dll qjhxgd.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll

The two middle entries did not show up. I deleted the other two.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
Any processes for the Ask toolbar

Didn't see any.

Control Panel> Add/Remove Programs> UNINSTALL any Ask Toolbar entries.

None there.

Right click on Start> Explore> Windows > System32> right click> delete any of the following files if found:

ptoqch.dll
qjhxgd.dll

Wasn't there.

Reboot into Normal Mode: NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

No nag message.

 

[Bobbye]

The HijackThis log is clean. You didn't get the nag message because you didn't make any changes.

Due to the Rootkit and malware in SAS:
Please update and rescan with Malwarebytes, follow with SuperAntispyware, then new scan with HijackThis.

If they are clean, we'll remove the cleaning tools,

 

[Martini]

Ran Malwarebytes and SuperAntispyware, came back clean.

If they are clean, we'll remove the cleaning tools,

Which tools?

 

[Bobbye]

The cleaning tools are the programs you download and ran for the cleaning: Malwarebytes, SuperAntispyware, HijackThis.

The log is clean. But there is still evidence of an additional Java program being installed other than v6u11. Take a look in Add/remove Programs and uninstall any other versions except v6u11.

This is a startup loading that I recommend you uncheck using msconfig, on the Startup menu:

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe>>> Registration reminder for Palm products is not necessary for startup. It is usually run infrequently and can be started manually if needed.

Remove the cleaning tools:

* Download OTCleanIt
http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Let us know if we can be of more help. You should be running a bit better now.

 

[Martini]

The cleaning tools are the programs you download and ran for the cleaning: Malwarebytes, SuperAntispyware, HijackThis.

Shouldn't I let SuperAntispyware run all the time to keep me from getting more nasties on my PC? I'm running that, Avira and Comodo.

The log is clean. But there is still evidence of an additional Java program being installed other than v6u11. Take a look in Add/remove Programs and uninstall any other versions except v6u11.

All I see in Add/remove Programs with the word "Java" is Java(TM) 6 Update 11.

"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

I don't see where I can select C:\ or a *More options* tab.

 

[Bobbye]

OTCleanIt- revising directions:

Download OTCleanIt & save it to your desktop.
Double click on OTCleanIt.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

About SuperAntispyware: we send you to a site for a free download to scan in the malware cleaning. You're going to have to check the site to see if you can continue running it free.

 

[Martini]

OTCleanIt- revising directions:
About SuperAntispyware: we send you to a site for a free download to scan in the malware cleaning. You're going to have to check the site to see if you can continue running it free.

Thanks again for all your help.

Besides using Avira anti-virus and Comodo firewall, is there anything else you recommend I should use to make sure I don't get infected again?

 

[Bobbye]

You're welcome. I do recommend that you run at least 2 spyware/adware programs in addition to the AV and firewall.

Here are some suggestions: all free:
Spyware/Adware Programs:
SpywareBlaster: https://www.techspot.com/downloads/568-spywareblaster.html
Spyware Doctor: https://www.techspot.com/downloads/176-spyware-doctor.html
Spybot Search & Destroy: https://www.techspot.com/downloads/149-spybot-search-and-destroy-detection-update.html

Keep in mind that the first line of defense is the ISP, the second is the user- no matter what security programs a user has, safe surfing and email handling to required. This means:
1. Don't click on pop-ups.
2. Don't be fooled by a rogue program giving an 'alert' that you are infected, tricking you into downloading their program.
3. Use some type of site advisor help. McAfee has one, IE7 has a phishing filter, Firefox has an advisor. Programmers often insert a commonly used word into a site so that it will come up in a search- then you find yourself on a porn site.
4. Do NOT open email from a name you don't recognize.
5. don't leave you personal email address on any internet site- get a 'throwaway' email, web based, email for this purpose.
6. Do not open an attachment unless you are expecting it, know who sent it and what it is.
7. Don't do 'surveys', raffles, 'win a million dollars' and other potentially dangerous come ons.
8. Have as few processes as possible contacting the internet. I don't have ANYTHING doing auto-updates except the AV program.
9. Do regular maintenance on the system to include disc cleanup, error check, defrag and scans with the security programs- always update each security program before the scan.
10. File sharing sites will give you malware> BitComet, uTorrent, Limewire, etc.