HJT

[Richard132]

My computer is running really sluggish l8ly i cleaned everything and still no luck and i made a HTJ scan some stuff there dont look gd to me but ill let you lot be the judge of it x)

 

[BillAllen55]

Some anti spyware to be done

Please go to the website and follow directions. This should be of assistance.
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Regards

 

[tw0rld]

Start up programs that can be removed

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1215819750\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [couqua] C:\WINDOWS\system32\soofurowyv.exe
O4 - HKLM\..\Run: [loquynne] C:\WINDOWS\system32\vefoqu.exe
O4 - HKLM\..\RunServices: [couqua] C:\WINDOWS\system32\soofurowyv.exe
O4 - HKLM\..\RunServices: [loquynne] C:\WINDOWS\system32\vefoqu.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

Suspicious entries

O4 - HKLM\..\Run: [couqua] C:\WINDOWS\system32\soofurowyv.exe
O4 - HKLM\..\Run: [loquynne] C:\WINDOWS\system32\vefoqu.exe
O4 - HKLM\..\RunServices: [couqua] C:\WINDOWS\system32\soofurowyv.exe
O4 - HKLM\..\RunServices: [loquynne] C:\WINDOWS\system32\vefoqu.exe
O23 - Service: Zip Backup to CD (heeo4hz5orma) - Unknown owner - C:\WINDOWS\system32\soujoogydouj.exe

Remove Avg Anti-Spyware, as it is no longer supported.

How much RAM do you have installed?

Go here and follow the Instructions

https://www.techspot.com/community/topics/updated-4-step-viruses-spyware-malware-removal-preliminary-instructions.58138/

 

[BillAllen55]

That website was previously referenced.

 

[tw0rld]

That website was previously referenced.

yeah! You must have been typing at the same time that I was. when i started replying there weren't any post(S) made.

 

[Bobbye]

I'm seeing a trend starting here that's not in the best interest of someone who has a malware infection. Maywarebytes should be run first, then SuperAntispyare, THEN HijackThis. Dealing with HijackThis without the benefit of those programs, what they find and remove is not the way to go!

People are throwing out HijackThis logs and skipping the rest of the programs and that is NOT the correct way to go through the malware cleaning! AFTER the first set of programs have been run and the logs checked, THEN HijackThis can be re-run to make sure suggested entries were removed.

 

[Richard132]

The virus my avg scan found couldnt get a log..
http://img239.imageshack.us/my.php?image=trjanbq4.gif

and the list of infected files:
http://img239.imageshack.us/my.php?image=trjan2ky1.gif
http://img185.imageshack.us/my.php?image=trjan3ct7.gif
http://img185.imageshack.us/my.php?image=trjan4ho3.gif

malwarebytes log and HJT log attached
Super antispyware only found cookies

Also in virus vault do i have to keep them there? or do i have to press delete/empty vault?

Thanks for help.

 

[Bobbye]

Mbam is clean. SO is HijackThis, with the following needing to be verified:

This TCP/IP is for AOL which looks like your ISP:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0DA02CE8-A747-419E-AF9E-8EA04F67C049}: NameServer = 205.188.146.145> AOL
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DA02CE8-A747-419E-AF9E-8EA04F67C049}: NameServer = 205.188.146.145

O17 - HKLM\System\CCS\Services\Tcpip\..\{90DC1203-D41D-4F00-98B1-67E8D2C15BB7}: NameServer = 92.31.242.20 92.31.242.21

But this one: 92.31.242.20> 92.31.242.21 o comes up through the Ripe Network overseas and the IP is for:
netname: CPWBBS-SERV
descr: Carphone Warehouse Broadband Services Servers
country: GB
RIPE Network Coordination Centre

IF this is one of your providers, no problem. It just needs to be verified. If it is NOT, then it needs to be removed.

If AVG has those infected images in Quarantine, you can delete them. I did not click on the image link, but you would do well to track it down as to it's source is you can, then remove and avoid.

You can not remove the cleaning tools and old restore points:
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

A few people have said the remove restore point option isn't coming up this way. If it does not:
Control Panel System> System Restore tab> CHECK 'turn off System Restore'> Apply> OK> Reboot

Then go back in and UNCHECL 'turn off System Restore'> Apply> OK

IF speed is still a problem, you should UNCHECK everything on the Startup tab using msconfig EXCEPT the antivirus and firewall. (touchpad for laptop, network process if on network). Everything else, including printer, can be started manually.