Hi, yesterday I received prompts from Avast that I had a virus and followed the steps to remove them. I would really appreciate some help finding out if they are actually gone. I do all of my banking online and need to know if it is still safe :-[.
My comp had the following viruses detected by Avast and Super AntiSpyware
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
P.S. Internet Explorer is considered a security hole by many computer security experts. Suggestions are to move to Firefox or another non-Internet Explorer browser. Internet Explorer cannot be safely uninstalled due to the tight integration with Windows internals, and requirements from various applications.
Close all browsers, run HJT again, find the relevant entry and tick the box to the left of it. Click the Fix checked button at the bottom of the window.
It took me a while but I realise now what HJT is. I followed Tech’s advice and downloaded DrWeb CureIT and ran the program. They found one suspicious file and I think it is the one that Polonus was trying to fix. O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n020p/EN/install/gtdownlr.cab does not appear when I run HJT anymore so I cannot fix it.
-Did I move something that I wasn’t supposed to? Can I take it out of quarantine there is a file that looks similar sitting in the DrWeb CureIT quarantine (gtdownlr_126.ocx)?
My computer is running a lot faster now, just want to feel safe.
From your “Log”, you appear to have the malware-prone Adobe Reader on
your computer !? IF true, I recommend you read the info at http://forum.avast.com/index.php?topic=38839.0 . There are safer
Alternatives, such as the FREE “Foxit Reader” or “Cute PDF” .
In addition, you have the unnecessary “Bonjour\mDNSResponder” and should
consider the Info at www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/ and seriously consider
uninstalling it by using the “Removal Instructions” there .
Thanks for the advice. I replaced Adobe Reader with Foxit, it’s very fast.
Just a few unresolved issues:
-Was my moving that file instead of fixing it as polonus recommended a problem?
-I see the Bonjour program in my control panal add/remove, is it not ok to uninstall from there?
-I guess there were no other problems with my log? As far as you can see am I free to do business as usual on the net?
It should be OK to uninstall the Bonjour program in my control panel add remove programs. The only proviso would be if it is required by Apple spit, iTunes, etc. as that is I believe a common culprit for installing it, that you would have to check to ensure it wouldn’t break any functionality.
I would say it is most certainly not normal. As you say it is associated with the Task Scheduler and if you didn’t create this Job then it is highly suspect. The lack of a meaningful name for a task is also suspect.
JOB is a file extension associated with Windows Task Scheduler Task Object.
You could open the Task Scheduler and check what this nztuezjh.job actually does, it might point to run some other files to try an compromise your system. If you are able to see what it is trying to do post that here and disable the task. Notice I don’t say delete the task, just in case, we need to confirm what it is doing.
If it mentions running a specific file, check to see if that file exists in the location (you might need to use search to find it). If it exists, right click on it and select Scan selected areas, also check it out at virustotal, see below.
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Rename the mdnsNSP.dll file in that folder to mdnsNSP.old
Restart your computer
Delete the Program Files\Bonjour folder
The first command will stop and remove Bonjour Service from your computer. To confirm, go to Start > Run and type services.msc. Look for Bonjour Service name. If it’s not there, you’ve successfully removed it. "
You also MAY want to consider the Info in the “Update” on the Raymond Site
that recommends a wizard tool available at www.serophos.net/au-revoir-bonjour !?
f you’ve installed software by Apple such as iTunes, software by Adobe such as Premiere Pro, Photoshop CS2, Dreamweaver CS3 the chances are there’s already a Bonjour folder in your Program Files. This service starts automatically and runs a process named mDNSResponder.exe which cannot be ended by Windows Task Manager. If you do not want Bonjour to be in your computer and want to uninstall it, sometimes you can’t find any uninstaller for it! Even if you go to Control Panel’s Add or Remove Program, you can’t find the uninstaller there as well.
Here’s how to safely uninstall and remove the Bonjour service and files (mDNSResponder.exe and mdnsNSP.dll). Just follow the few simple steps below to remove Bonjour from your computer.
NOTE: Make sure you have administrator privileges before executing these commands. You might have to delete the quotes and input them manually, because the forum is outputting them as smart quotes.
Go to [Start > Run] and type the following command and hit OK.
* “%PROGRAMFILES%\Bonjour\mDNSResponder.exe” -remove
Go to [Start > Run] again and type the following command and hit OK.
* regsvr32 /u “%PROGRAMFILES%\Bonjour\mdnsNSP.dll”
After you restart, you can safely delete the Bonjour folder without errors.
To know if you have actually uninstalled Bonjour. Open services.msc and see if there is a service similar to: “##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##”. If it is not there, then it has been uninstalled. But the folder and files remain in the program files folder. Just in case you want to install it again.
If you encountered problems after uninstalling or removing Bonjour, you can download and reinstall Bonjour. If you have any problems, let us know,
Thanks for clarifying, I will try to uninstall Bonjour again manually on the weekend since it doesn’t seem dangerous. I did try to follow the instructions from the link that Spiritsongs provided but stopped after a few attempts at following the directions (the virus was more of a concern), it wouldn’t recognized the command.
I double clicked on the task scheduler and the program is set to run .exe “C:\WINDOWS\system32\urqPgDUm.dll”,ShellPath. I tried to search for the folder but could not locate it to do a scan. I did a ‘search’ and also I looked directly in System32 folder.
I couldn’t find any trace of an application or file with the name nztuezjh other than the .job file sitting in my task scheduler.
I should also mention scheduler says that the last result was 0X103 and that the creator was me. What does that mean 0X103? My other tasks are 0X0 (maybe something to do with me stoping it?)
The task scheduler restarted when I turned my computer on, is that ok? I amended the task to run every 999 days for now.
That was just the .job name, the dastardly deed is the string/command inside and the urqPgDUm.dll would probably inject .exe files when run with code to do its bidding. Keep this task disabled. also task scheduler disabled, if there are no schedules that you created in there.
Upload that urqPgDUm.dll file to virustotal (VT) as the above link to VT and report the results.
Depending on the results of the VT results, if multiple scanners detect it as malicious, likely, then we would delete the task, but first report the findings. As a temporary measure you could rename the urqPgDUm.dll file to something like XXXurqPgDUm.dll, so even if that task manager task ran the file it would be trying to run wouldn’t exist as we renamed it.
I have no idea what 0X103 is, hopefully an error code that it didn’t work, but that is optomistic speculation on my part. The creator is whatever account was logged on as malware inherits your permissions.
Personally I would say Bonjour is a minor issue, which you can get to once you are sure your system is clean, something created that .job and it wasn’t you.
Work through Tech’s steps 1 - 3, on step 3 only download, install, update and run SAS and MBAM (the first two on that line) and report the findings - preferably run them from safe mode, it makes dealing with any infections found more effective.
Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
Hi :