Virus attack on my computer - hjt log

[chipopo]

Howard & rahul thanks for staying with me.
like i said i went through all of the steps and here are most of the logs. for some reason i couldn't get to the Nod32 log in safe mode and now i can't seem to find it. but as far as i remember there were no special findings exept for a list of files which are considered by the av as 'locked'.
so you can check out the logs while i do what Howard wrote.

it wouldn't let me attach more than 5.
the root kit didn't find a thing.
the 3 tools didn't either.

deleted all the quarintined files in avg anti-spyware.
didn't find the service.
the processes weren't there.
found and fixed these two:
O4 - HKLM\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe
O4 - HKCU\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe
didn't find the files in the system32 folder but i did find C:\WINDOWS\System32\wbem\scrcons.exe - i renamed it. is that ok? should i leave it that way?
i deleted all the entries in the registry.
bty this file: avgas.exe (which is also seen on the HJT log) keeps asking for permission to connect to the web everytime i start windows. should i allow it?
there are 2 HJT logs - one from during the steps you asked and the 2nd from after.
i'll give you the AVG log later 'cause i'm dead tired and going to hit the sack.

i've been trying to do some windows upgrading and for some reason the application can't connect to the net. just now i tried again and i was asked by comodo to allow some file to connect. i allowed it but then i was asked again and i realize that the file dvdupgrd.exe was involved. so i tried committing the file for analysis (do i get the results ?) and something wouldn't let the file get through.
i don't know if this is of any importance but i'm letting you know anyway.
good night

 

[rahul_intlad]

avgas.exe is for avg anti-spyware ,allow it to access the internet.Your avg scans are again showing malware from Internet explorer extensions.

When you are free could you do this:

In your internet explorer go to tools->internet options ->programs ->manage ad-ons

From there could you check:
1>.ad-ons currently loaded in Internet explorer
2>. ad-ons that run without requiring permission
3>. downloaded active-x
4>. ad-ons that have been used by internet explorer.

Could you post these as an image file or just post details about ones that are from suspicious publishers.

 

[howard_hopkinso]

Your last HJT log is clean, except for the dvdupgrd.exe problem.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

dvdupgrd.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\System32\dvdupgrd.exe

Repeat the regedit instructions for dvdupgrd.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let us know what problems you`re having, if any.

Regards Howard

This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[chipopo]

good morning

rahul,
i can't find what you said. i've got IE > tools > internet options > programs but there's no manage add-ons there.
Howard, i'm sorry about the multiples but i could only attach 5 attachments and i had more (for instance i couldn't add the avg report to that reply you edited because it exceeds the limit of allowed number of attachments - so it's here). i also didn't know if it's better to mix up two different topics in one reply (when there's sometimes a few hours between them) - but in this case if you'd rather it i can make them one post.
i'll get to what you said a little later when i'll have time.

 

[howard_hopkinso]

Your AVG Antispyware log is clean.

It`s a fresh HJT log I need to see.

Regards Howard

This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[chipopo]

here's the log

hi Howard.
i did everything you said.
i didn't any see any process by that name.
i deleted C:\WINDOWS\System32\dvdupgrd.exe
i cleaned the registry from and dvdupgrd.exe entries.
if you get to the conclusion that the computer is clean what could be the reason that startup still takes so long (about a minute just waiting for the 'windows is starting up' screen!)?

 

[howard_hopkinso]

Your HJT log is now clean. Hopefully, it`ll stay that way.

As for your slow start up, lets try stopping a few things from running at start up. Hopefully, that will improve things somewhat.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

AVG Anti-Spyware Guard
Ad-Aware 2007 Service<if you can find an older version of Ad-Aware, it won`t have this service. Obviously, your current version won`t run with out this service being started. But you could start it manually, when you wanted.

NVIDIA Display Driver Service<Not needed.

Close the services window.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

Click on the fix checked button.

Close HJT and reboot your system.

Go HERE and follow the instructions for speeding up your system.

Let us know if that helps.

Regards Howard

This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[chipopo]

first of all thanks a lot for all the help. it seems like the bad guys really left here.
the overall speed of the computer is pretty much fine, it's just startup that takes a whole lot of time (suspicןously i must add). i checked again and its 80 seconds just on that screen i mentioned.
i did all what you said and some of what's in the guide but it doesn't seem to help. if it's of any importance i should mention that while disabling the services you told me, i noticed there were a lot of others running. is that normal?
any other ideas or are we back to formatting?

 

[howard_hopkinso]

It`s quite normal to have a lot of services running. The vast majority of which are need for your system to operate properly.

I had an issue several month ago with a very slow start up. I knew for a fact it wasn`t malware related. I tried everything I could think of to solve the problem to no avail. In the end I got so fed up, I formatted and reinstalled. Problem solved.

I`m not sure what the problems was, but can only assume it was some kind of corruption.

Anyway, I`m glad we seemed to have solved your malware problem. I`m just sorry, I`ve been unable to solve your slow start up problem.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[chipopo]

about comodo firewall

so now my pc is working nice and smooth :slurp:
i have a question about comodo. how do i know which applications i'm supposed to allow access and which deny? also is there a way of automating this procedure (even partially) or do i have to go through this on each startup?
is there a way of disabling windows messenger from running? do i need it?
one last thing, i'm getting some runtime errors while browsing do you what i should do? (i installed windows updates exept for sp2 - should i install it too? i used update manager and it didn't show sp2).
thank for everything up to now

 

[howard_hopkinso]

I don`t use Comodo myself, so I`m very limited as to what I know about it.

Checkout the Comodo user guide. This should tell you how best to configure Comodo. There is I believe an option for Comodo to scan your system for trusted applications and create the necessary friewall rules for these.

I recommend you install sp2 asap. This will help to protect your system.

I`m not sure what the runtime errors are as the error mssages don`t reveal very much.

Regards Howard

This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[chipopo]

thanks

thanks Howard i think i'm cool now.
i stopped using IE and those error messages stopped comming. i also installed SP2 just now, maybe it will help too.
and thanks for the guide, i'm going through it now.