programs being deleted without me deleting them...

I unwisely downloaded a pirated program. When I deleted it, it deleted (and seems like it continues to do so) not only itself, but other programs. How can I search for whatever it is that is doin this?
Thanks for any help you can offer!!!
:-[

What security programs have you got / run . Do they show any infections ?

Avast 3.8 Home

Holy shit ;D How old is that ?
Run these 2 programs HijackThis, choose scan and save logfile, copy paste the log. MalwareBytes, install, update, run quick scan,copy/paste the log

http://filehippo.com/download_hijackthis/
http://filehippo.com/download_malwarebytes_anti_malware/
You need to install lates Avast also. Unistall previous http://filehippo.com/download_avast_antivirus/
Run Avast and report findings

I have to go out but will do what you advise upon my return in about three hours. Thanks!!!
Aloha,
Jim :slight_smile:


Perhaps what windward downloaded was a cracked version of the old avast 3.8 or a fake version of same.

See this Scandoo/google search :

http://g.s.scandoo.com/search?hl=en&meta=on&q=avast+3.8


Hi, the results are attached.
Thanks!
Jim :slight_smile:


Hi Jim -

An analysis of your HJT log shows the following problems :

It seems that you don’t use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.

O4 - HKUS\S-1-5-19..\Run: [loyupalije] Rundll32.exe “C:\WINDOWS\system32\kisafigu.dll”,s (User ‘LOCAL SERVICE’)
Bad entry - related to Fraudulent Security Program and/or Cloaked Malware.
http://www.prevx.com/filenames/X847075267034382515-X1/KISAFIGU.DLL.TMP.html

O4 - HKUS\S-1-5-20..\Run: [loyupalije] Rundll32.exe “C:\WINDOWS\system32\kisafigu.dll”,s (User ‘NETWORK SERVICE’)
Bad entry - Adware.Vundo/Variant-EC.Process
http://www.fileresearchcenter.com/applicationdisplay.html?id=14337

O20 - AppInit_DLLs: ,
Bad entry - Very few legitimate programs use it and most often it is used by trojans or agressive browser hijackers.

There were a few more questionable entries but they seem to be OK from research.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

Ati2evxx.exe
Driver
ATI Display Adapter Assistant

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

spoolsv.exe
System task
Microsoft Printer Spooler Service

schedul2.exe
Backgroundtask
Acronis True Image Scheduler

AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service

ALUSchedulerSvc.exe
Virusscan
Symantec LiveUpdate Scheduler

Ati2evxx.exe
Driver
ATI Display Adapter Assistant

mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component

DevSvc.exe
Backgroundtask
Capture Device Service

Explorer.EXE
System task
Microsoft Windows Explorer

DTSRVC.exe
Backgroundtask
Display Tuning Service

LSSrvc.exe
Backgroundtask
NERO Light Scribe Module

MDM.EXE
Backgroundtask
Machine Debug Manager

StarWindService.exe
Backgroundtask
Alcohol 120% StarWind

svchost.exe
System task
Microsoft Service Host Process

symlcsvc.exe
Firewall
Norton Internet Security Suite

TrueImageTryStartService.exe
Backgroundtask
TrueImageTryStartService.exe

ULCDRSvr.exe
Application
Ulead DVD workshop Server

wscntfy.exe
System task
Microsoft Windows Security Center

LVCOMSX.EXE
Application
Logitech multimedia webcam

SOUNDMAN.EXE
Backgroundtask
Realtek Avance Logic Inc

PrnPack.exe
Unknown task
Unknown task

Rundll32.exe
Virus
MIROOT WORM! - http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=805

Rundll32.exe
System task
Microsoft Rundll32

Opware15.exe
Backgroundtask
OmniPage from Nuance (was Scansoft)

KBD.EXE
Backgroundtask
Multimedia keyboard manager.

ipoint.exe
Driver
Microsoft IntelliPoint

hpsysdrv.exe
Application
Hewlett-Packard Monitoring Tool

hphmon06.exe
Driver
Hewlett-Packard Printing Products

atiptaxx.exe
Application
ATI graphics card drivers

dpupdchk.exe
Backgroundtask
dpupdchk.exe

cli.exe
Application
ATI Catalyst

svchost.exe
System task
Microsoft Service Host Process

ALCWZRD.EXE
System task
RealTek High Definition audio driver related

DTHtml.exe
Backgroundtask
Display Tune

ALCMTR.EXE
Driver
Realtek Event Monitor

AGRSMMSG.exe
System task
IBM AMR modem driver

schedhlp.exe
Backgroundtask
Acronis True Image Component

HookManager.exe
Backgroundtask
Context Menu Utility

Acrotray.exe
Backgroundtask
Acrobat Traybar Assistant

AcctMgr.exe
Application
Norton Password Manager

HPWuSchd2.exe
Backgroundtask
Hewlett Packard Software Update Scheduler

iTunesHelper.exe
Application
Apple Itunes

OpAgent.exe
Backgroundtask
OnmiPage Agent Applicatoin

msmsgs.exe
Application
MSN Messenger

ISUSPM.exe
Backgroundtask
InstallShield Update Service Scheduler.

ctfmon.exe
System task
Alternative User Input Services

iPodService.exe
Backgroundtask
Apple iTunes

ymsgr_tray.exe
Backgroundtask
Yahoo! Messenger Server Traybar

wuauclt.exe
System task
AutoUpdate Client

cli.exe
Application
ATI Catalyst

cli.exe
Application
ATI Catalyst

iexplore.exe
Application
Microsoft Internet Explorer

infocard.exe
Backgroundtask
Windows CardSpace

HijackThis.exe
Application
Merijn Hijackthis


Thanks!
I use Avast 4.8 Home, but I had it turned off when I did the scan.
Is your advice to buy Prevue to solve the problem? Or can I do it with Avast?
Thanks again for your time!!!
Aloha,
Jim


There is no need to turn off avast while doing a HJT scan.

No, do not buy anything. I would suggest that you first run a boot-time scan with avast.

Then, a scan with malwarebytes antimalware (MBAM). Download MBAM from the link below, install it, update it, and then run a quick scan. Post the MBAM log here for someone to read.

We will see what comes after the above.


As I tell everyone PLEASE do not pirate stuff, it will infect your computer with all kinds of nasty viruses.

The boot scan didn’t turn up anything, and I don’t think the Malware did either. Here is the log…
Thanks again for your time. I sure do appreciate it!


Malwarebytes’ Anti-Malware 1.40
Database version: 2723
Windows 5.1.2600 Service Pack 3

9/2/2009 2:30:45 PM
mbam-log-2009-09-02 (14-30-45).txt

Scan type: Quick Scan
Objects scanned: 136248
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Aloha,
Jim

Here is the Avast warning log…
8/31/2009 2:52:08 PM SYSTEM 432 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
8/31/2009 8:12:30 PM SYSTEM 432 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 8:42:17 AM SYSTEM 1988 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 1:03:38 PM SYSTEM 1988 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 2:58:31 PM SYSTEM 1972 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 7:02:52 PM SYSTEM 1972 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/1/2009 11:03:22 PM SYSTEM 1972 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/2/2009 7:36:52 AM SYSTEM 1984 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/2/2009 8:26:58 AM HP_Owner 4044 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
9/2/2009 2:21:06 PM SYSTEM 1500 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\HP_Owner\Desktop\WindowsXP-KB958644-x86-ENU.exe (C:\Documents and Settings\HP_Owner\Desktop\WindowsXP-KB958644-x86-ENU.exe) returning error, 00000026.