I'm not sure if this is something serious

Bobbye · Oct 3, 2009

Chip, I'm sorry but I can't help with the logs at this time.

But it would be to your advantage to read the Spybot reference I left for you.

We don't have any trained malware helpers working on TS now- it's temporary. Some members have been able to assist to some degree. Handling the problems you can will make things work better for you.

I'll try to locate someone through a PM.

chipopo · Oct 4, 2009

thanks. you've been a big help as it is.

Bobbye · Oct 4, 2009

I appreciate that. It's kind of like looking at an ice cream cone with my hands tied behind my back! I did send the PM. Hopefully there will be some result.

momok · Oct 5, 2009

Hi chipopo,

I used to do alot of malware cleaning here in the past. I havent done that in a very long time, so I wont guarantee that I can fix your system, but I'll try my best. Also, I'm not the most free (or active, for that matter) member around here, so do bear with me with patience for replies. Should you have urgent matters you may PM me. So here goes...

I spotted these in your logs:

C:\Documents and Settings\àéìï\Application Data\MSA\ - definitely bad

O4 - HKCU\..\Run: [dmusrd8] rundll32.exe "C:\Documents and Settings\àéìï\Local Settings\Application Data\dmusrd8\dmusrd8.dll", DllInit <- this one looks tricky and I cant be sure. but i suspect its bad.

first off, since the last time you posted logs was 4 days ago, I suggest running through some key steps in the 8-step guide again. Namely those that give you logs: mbam, hijackthis.

post your new logs here.

At the same time, please locate in your system for these 2 folders:
C:\Documents and Settings\àéìï\Application Data\MSA\
C:\Documents and Settings\àéìï\Local Settings\Application Data\dmusrd8\

let me know if the folders are there and their entire contents. Also let me know if you have any knowledge of their usage (ie, did you create those folders, be it manually or through installation of any programs; which programs etc)

With that knowledge and some fresh logs, from there on i'll see what we can do.

chipopo · Oct 5, 2009

updated logs

hello momok,
thanks for joining in. i'm running the scans now and intend to attach the logs when i finish. meanwhile i'm attaching a printscreen of those folders you asked about. i have no idea who created them and for what purpose (but you should know that i recieved this pc when it was already used by someone else).

Tmagic650 · Oct 5, 2009

What language are these folders displaying?

chipopo · Oct 5, 2009

just finished.

oh, missed that question - it's hebrew.

Bobbye · Oct 5, 2009

momok will be following up with you chip- I missed the language- thought it was Russian! In the meantime, you can adjust your Cookie settings:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

This will help in the future to prevent the Tracking Cookies. Using the add-ons I mentioned will also prevent some adware from loading.

momok · Oct 5, 2009

Hi,

Pls start HijackThis and fix the following entries:

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [dmusrd8] rundll32.exe "C:\Documents and Settings\àéìï\Local Settings\Application Data\dmusrd8\dmusrd8.dll", DllInit
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\àéìï\úôøéè äúçìä\úåëðéåú\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\àéìï\úôøéè äúçìä\úåëðéåú\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab

On top of that, please delete the two folders that we have discussed earlier:
C:\Documents and Settings\àéìï\Application Data\MSA\
C:\Documents and Settings\àéìï\Local Settings\Application Data\dmusrd8\ < credit to Bobbye for confirmation that this is bad

Empty your recycle bin too.

Once you have done that, reboot your system and post a fresh hijackthis log. Let us know if you have any problems following this reboot too, thanks.

chipopo · Oct 20, 2009

here are the results

thanks bobbye and momok.
bobbye, i went through all of your steps but my setting were just like what you asked me to change them to.
momok here is the new log. the only problem i had was deleting the second folder that you mentioned. i was told that i can't delete the file because it might be in use etc...

Bobbye · Oct 20, 2009

Chip, since it's been two weeks since you started this thread, can you fill us in on what problems you are currently experiencing?

chipopo · Oct 21, 2009

sure. as a matter of fact, right now it seems that there are no known problems. could it be that everything was fixed?

Bobbye · Oct 21, 2009

Well, you're almost through, but we need to remove a few entries in HJT:

The way it reads now, you are instructed the system to use a Proxy Server. But at the same time, you are telling it to override the Proxy Server. There is also a page coming up "Blank." This is okay if you have intentionally set a homepage to display blank, but if you have not, then it needs to be removed

So one last time:
Reopen HijackThis to 'do system scan only'. Check each of the entries below:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
If your ISP requires you to use a Proxy Server, leave the following. If not, check it.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
IF you want the MAN connection to override the Proxy Server, ;leave the following. If not, check it
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Close all Windows except HijackThis. Click on "Fix Checked".

Run the following online scan: Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesn't work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
---------------------
If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.

If the scan is clean and there are no more problems, I'll instruct you in removing all the cleaning tools and set new restore points.

Almost through!

chipopo · Oct 27, 2009

hi bobbey,
i removed the first three entries. about the other two i have no idea what the answers to your "if" questions are so i didn't touch them.
none of the scans succeeded on my internet explorer (including the jawa one). i tried the trend micro scanner (house call) with firefox and the results are that it did not find any threats. no log was given so i hope i did this step correctly.

Bobbye · Oct 28, 2009

Chip, I know this has been a long thread for you. You can have HijackThis remove the 2 "if" entries.

I am concernet about your comment that none of the scan succeeded on IE. Can you clarify which scan you're referring to? The Kaspersky scan does not require you to use IE.

If the AV scan is clean and the original problems have been resolved, you can remove the cleaning tools:
Remove all of the tools we used and the files and folders they created

DownloadOTCleanIt by OldTimer

Save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

Go to Start > All Programs > Accessories > System Tools and click "System Restore".

Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.

Click "OK" to select the partition or drive you desire.

Click the "More Options" Tab.

Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

If I can be of further help, please let me know.

chipopo · Oct 28, 2009

Thanks Bobbye for sticking with me.
i fixed the two entries with hjt.
about the scans, the kaspersky only had an option to scan a specific file. i couldn't find a complete online scan. the one that did work was the last one (java based) that you linked to and only in firefox. when i used internet explorer, pressing the scan button just left me stuck with a blank page (part of the page). [i dion't remember if you were already or if this is related to the problem but i have these problems wih ie in other case such as sending forms, watching embedded movies and even using the buttons in this very forum.]
now i'll move on to the cleanup.

ok, i think this is it, i made a new restore point and cleaned up the old ones.
thanks again, bobbye.
about your kind offer, i do have question but it's not about viruses. is it possible to install a new and legal windows xp over an old one (which apparently wasn't legal and is giving me a headache) without losing all of my setting, mail and other important files ?

Bobbye · Oct 29, 2009

Chip, do you mean to tell me we've been working on a pirated OS!?

If it's another machine, I would think you should do a clean install, not over a pirated OS.

TechSpot

I'm not sure if this is something serious

Bobbye Helper on the Fringe

chipopo Newcomer, in training

Bobbye Helper on the Fringe

momok Newcomer, in training

chipopo Newcomer, in training

Tmagic650 TechSpot Ambassador

chipopo Newcomer, in training

Attached Files:

hijackthis.log

Bobbye Helper on the Fringe

momok Newcomer, in training

chipopo Newcomer, in training

Attached Files:

hijackthis.log

Bobbye Helper on the Fringe

chipopo Newcomer, in training

Bobbye Helper on the Fringe

chipopo Newcomer, in training

Bobbye Helper on the Fringe

chipopo Newcomer, in training

Bobbye Helper on the Fringe