Logs attached, please help

[stopcrime2009]

I have been hacked bigtime. If you have time, please review my log. I am trying to figure out if I should just reformat my whole computer and reinstall Windows Xp.

I am so afraid of what they got. They were using Skype to upload files, etc.

Thanks in advance.


CM

 

[touch]

Hello stopcrime2009

Please run the steps in this guide:

8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your next reply

 

[stopcrime2009]

Please review these logs. Thanks.

This is my 1st computer's log. This goes with the original post.

Final log. Sorry.


Please take a look at all of this. I truly appreciate it. Thanks in advance.

 

[touch]

I had not expected that you had sent the log files from two computers.

Let us take one computer at a time, otherwise it becomes confusing

I also notice you have two Antivirus programs running ->
"Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
Not more."

Remove/uninstall from "Add/remove programs" in controlpanel:
One of Your antivirus programs


Then, please run 8-step Viruses guide, on computer Nr. one:


Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your next reply

 

[stopcrime2009]

1st computer log files attached

Thanks for helping me with this. This is computer 1.


Please review the attached files.

Thanks in advance.

 

[touch]

The following are not spyware/malware, but I suggest you place a check mark next to the following entries and hit Fix checked, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [ISUSScheduler] \"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe\" -start
(Description: InstallShield updater - not needed at startup. Removing this may free up system resources.)
O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
(Description: RealPlayer system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)


Reboot, if computer Nr. 1 are running fine, i´ll suggest you continue with computer Nr. 2

 

[stopcrime2009]

Thank you for responding. I appreciate it. I also would like to know what the top of the line, antivirus, all in one suite, I could buy from now on. I want to have complete protection. I cannot trust my former suite at all. Too many trojan dowloaders got through.

Thanks.

 

[kimsland]

You have McAfee and Symantec presently installed so I agree they both aren't good

Do this, and you will be much better off

Uninstall your McAfee Antivirus
Then run the McAfee Removal Tool

Restart

Uninstall your Symantec (or Norton) Antivirus (if it's even listed in Add\Remove programs)
Then run the Norton Removal tool

Restart

Install Avira free AntiVirus (being the best one IMO)
Update it, then run a full scan

Much better off

 

[stopcrime2009]

I will post logs up tomorrow for computer #2. Thanks again.

Ok I will do this in the morning. I did not even know I have Symantec on here also. I will put the Avira on. Thanks.

Install Avira free AntiVirus (being the best one IMO)
Update it, then run a full scan

Much better off

 

[Bobbye]

Let's review the security programs: Who's Confused?!


The HJ log for Logfile of Trend Micro HijackThis v2.0.2, Scan saved at 4:37:12 PM, on 4/18/2009 (Post 3#) shows
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
AND
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
AND
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

Thee HJ log for Logfile of Trend Micro HijackThis v2.0.2, Scan saved at 10:26:27 PM, on 4/20/2009 (Post #3) shows
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe ONLY


Computer #1: Post 3: shows the McAfee Suite and Avast
Computer #1: Post 5: shows Avast only. McAfee removed.

I did not even know I have Symantec on here also. I will put the Avira on.

Another HJ log in Post 3:
Logfile of Trend Micro HijackThis v2.0.2, Scan saved at 6:15:56 PM, on 4/18/2009 shows
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
AND
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
Actually, there is Avast already installed and running. There are also 2 entries left from Symantec/Norton which can be removed by running the Norton Removal Tool.

IT would be very helpful of you clearly told us WHICH of these logs is for Compute #2 as they are all presented as Computer #1.

My suggestion would be: If you have Avast or Avira, don't make a change. If you have PAID for the McAfee Suite, I would urge you to keep it for now. If it is only trial version, okay to uninstsall. Otherwise, remove the free programs and wait until the McAfee subscription comes due and THEN male a change.

But I would like to discourage you from having ANY suite. You can find free standing, free antivirus program, firewall and spyware/adware programs. Why pay for a suite- especially one that doesn't work ell.

But understand that you, the user are the first line of defense on computer security. No matter what security programs you have in place, what you do while online-email and surfing-makes the final malware decision!

You have TeaTimer running. Real Time Protections must be temporarily disabled while scanning:
SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

 

[stopcrime2009]

I am sorry. I thought I only uploaded computer 1 in the end. The final post with attachments.

Post #5 is the correct post for computer #1. I will disable teatimer.

 

[Bobbye]

Confirm please: Computer #1 is running Avast as the only AV program.

touch will finish with your logs.

 

[stopcrime2009]

Yes computer 1 is only using Avast now. Thanks.

Here is computer #2 logs. Thanks in advance.

Problem with computer #2

Avira found the trojan, TR/Vundo.Gen

It was quarantined and then deleted. Should I do anymore with this?

Thanks!

 

[touch]

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\RunOnce: [SpybotDeletingA2413] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5388] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7771] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8625] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
O18 - Filter hijack: text/html - {5ca02e1f-6fbf-4522-8ba6-5a131f4601e3} - (no file)


Reboot, attach new hijackthis log