I unwisely downloaded a pirated program. When I deleted it, it deleted (and seems like it continues to do so) not only itself, but other programs. How can I search for whatever it is that is doin this?
Thanks for any help you can offer!!!
:-[
What security programs have you got / run . Do they show any infections ?
Avast 3.8 Home
Holy shit ;D How old is that ?
Run these 2 programs HijackThis, choose scan and save logfile, copy paste the log. MalwareBytes, install, update, run quick scan,copy/paste the log
http://filehippo.com/download_hijackthis/
http://filehippo.com/download_malwarebytes_anti_malware/
You need to install lates Avast also. Unistall previous http://filehippo.com/download_avast_antivirus/
Run Avast and report findings
I have to go out but will do what you advise upon my return in about three hours. Thanks!!!
Aloha,
Jim
Perhaps what windward downloaded was a cracked version of the old avast 3.8 or a fake version of same.
See this Scandoo/google search :
http://g.s.scandoo.com/search?hl=en&meta=on&q=avast+3.8
Hi, the results are attached.
Thanks!
Jim
Hi Jim -
An analysis of your HJT log shows the following problems :
It seems that you don’t use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.
O4 - HKUS\S-1-5-19..\Run: [loyupalije] Rundll32.exe “C:\WINDOWS\system32\kisafigu.dll”,s (User ‘LOCAL SERVICE’)
Bad entry - related to Fraudulent Security Program and/or Cloaked Malware.
http://www.prevx.com/filenames/X847075267034382515-X1/KISAFIGU.DLL.TMP.html
O4 - HKUS\S-1-5-20..\Run: [loyupalije] Rundll32.exe “C:\WINDOWS\system32\kisafigu.dll”,s (User ‘NETWORK SERVICE’)
Bad entry - Adware.Vundo/Variant-EC.Process
http://www.fileresearchcenter.com/applicationdisplay.html?id=14337
O20 - AppInit_DLLs: ,
Bad entry - Very few legitimate programs use it and most often it is used by trojans or agressive browser hijackers.
There were a few more questionable entries but they seem to be OK from research.
Overview of running tasks :
smss.exe
System task
Session Manager Subsystem
winlogon.exe
System task
Microsoft Windows Logon Process
services.exe
System task
Windows Service Controller
lsass.exe
System task
Local Security Authority Service
Ati2evxx.exe
Driver
ATI Display Adapter Assistant
svchost.exe
System task
Microsoft Service Host Process
svchost.exe
System task
Microsoft Service Host Process
svchost.exe
System task
Microsoft Service Host Process
spoolsv.exe
System task
Microsoft Printer Spooler Service
schedul2.exe
Backgroundtask
Acronis True Image Scheduler
AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service
ALUSchedulerSvc.exe
Virusscan
Symantec LiveUpdate Scheduler
Ati2evxx.exe
Driver
ATI Display Adapter Assistant
mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component
DevSvc.exe
Backgroundtask
Capture Device Service
Explorer.EXE
System task
Microsoft Windows Explorer
DTSRVC.exe
Backgroundtask
Display Tuning Service
LSSrvc.exe
Backgroundtask
NERO Light Scribe Module
MDM.EXE
Backgroundtask
Machine Debug Manager
StarWindService.exe
Backgroundtask
Alcohol 120% StarWind
svchost.exe
System task
Microsoft Service Host Process
symlcsvc.exe
Firewall
Norton Internet Security Suite
TrueImageTryStartService.exe
Backgroundtask
TrueImageTryStartService.exe
ULCDRSvr.exe
Application
Ulead DVD workshop Server
wscntfy.exe
System task
Microsoft Windows Security Center
LVCOMSX.EXE
Application
Logitech multimedia webcam
SOUNDMAN.EXE
Backgroundtask
Realtek Avance Logic Inc
PrnPack.exe
Unknown task
Unknown task
Rundll32.exe
Virus
MIROOT WORM! - http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=805
Rundll32.exe
System task
Microsoft Rundll32
Opware15.exe
Backgroundtask
OmniPage from Nuance (was Scansoft)
KBD.EXE
Backgroundtask
Multimedia keyboard manager.
ipoint.exe
Driver
Microsoft IntelliPoint
hpsysdrv.exe
Application
Hewlett-Packard Monitoring Tool
hphmon06.exe
Driver
Hewlett-Packard Printing Products
atiptaxx.exe
Application
ATI graphics card drivers
dpupdchk.exe
Backgroundtask
dpupdchk.exe
cli.exe
Application
ATI Catalyst
svchost.exe
System task
Microsoft Service Host Process
ALCWZRD.EXE
System task
RealTek High Definition audio driver related
DTHtml.exe
Backgroundtask
Display Tune
ALCMTR.EXE
Driver
Realtek Event Monitor
AGRSMMSG.exe
System task
IBM AMR modem driver
schedhlp.exe
Backgroundtask
Acronis True Image Component
HookManager.exe
Backgroundtask
Context Menu Utility
Acrotray.exe
Backgroundtask
Acrobat Traybar Assistant
AcctMgr.exe
Application
Norton Password Manager
HPWuSchd2.exe
Backgroundtask
Hewlett Packard Software Update Scheduler
iTunesHelper.exe
Application
Apple Itunes
OpAgent.exe
Backgroundtask
OnmiPage Agent Applicatoin
msmsgs.exe
Application
MSN Messenger
ISUSPM.exe
Backgroundtask
InstallShield Update Service Scheduler.
ctfmon.exe
System task
Alternative User Input Services
iPodService.exe
Backgroundtask
Apple iTunes
ymsgr_tray.exe
Backgroundtask
Yahoo! Messenger Server Traybar
wuauclt.exe
System task
AutoUpdate Client
cli.exe
Application
ATI Catalyst
cli.exe
Application
ATI Catalyst
iexplore.exe
Application
Microsoft Internet Explorer
infocard.exe
Backgroundtask
Windows CardSpace
HijackThis.exe
Application
Merijn Hijackthis
Thanks!
I use Avast 4.8 Home, but I had it turned off when I did the scan.
Is your advice to buy Prevue to solve the problem? Or can I do it with Avast?
Thanks again for your time!!!
Aloha,
Jim
There is no need to turn off avast while doing a HJT scan.
No, do not buy anything. I would suggest that you first run a boot-time scan with avast.
Then, a scan with malwarebytes antimalware (MBAM). Download MBAM from the link below, install it, update it, and then run a quick scan. Post the MBAM log here for someone to read.
We will see what comes after the above.
As I tell everyone PLEASE do not pirate stuff, it will infect your computer with all kinds of nasty viruses.
The boot scan didn’t turn up anything, and I don’t think the Malware did either. Here is the log…
Thanks again for your time. I sure do appreciate it!
Malwarebytes’ Anti-Malware 1.40
Database version: 2723
Windows 5.1.2600 Service Pack 3
9/2/2009 2:30:45 PM
mbam-log-2009-09-02 (14-30-45).txt
Scan type: Quick Scan
Objects scanned: 136248
Time elapsed: 6 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Aloha,
Jim
Here is the Avast warning log…
8/31/2009 2:52:08 PM SYSTEM 432 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
8/31/2009 8:12:30 PM SYSTEM 432 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 8:42:17 AM SYSTEM 1988 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 1:03:38 PM SYSTEM 1988 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 2:58:31 PM SYSTEM 1972 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 7:02:52 PM SYSTEM 1972 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 11:03:22 PM SYSTEM 1972 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/2/2009 7:36:52 AM SYSTEM 1984 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/2/2009 8:26:58 AM HP_Owner 4044 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/2/2009 2:21:06 PM SYSTEM 1500 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\HP_Owner\Desktop\WindowsXP-KB958644-x86-ENU.exe (C:\Documents and Settings\HP_Owner\Desktop\WindowsXP-KB958644-x86-ENU.exe) returning error, 00000026.