3 Trojans and a Worm

Status
Not open for further replies.

jwei44

Posts: 13   +0
I did a virus scan with AVG Free, and found:
Worm/Autorun
TrojanHorse Agent2.GUF x 2
These couldn't be removed because they "didn't exist"
TrojanHorse SHeur2.AFE

Now, I cannot run Spybot Search & Destroy, SUPERAntispyware - crashes upon startup, but I got Malware to run. Also, when using Google, if I serach something, most of the links redirect me to other search engines and ADs. Please help. If you need any logs let me know.

Also, I got three BSOD'S in the last month - it was a flash so I could not read it.

1. The first one happened when I clicked the Start Button. (Computer woke up from Hibernate 6 hours ago)
2. The second one happened when I unplugged my iPod from charging (10~15 minutes after I turned the computer on) with the Safely Remove Hardware.
3. The third one happened when I right clicked iTunes.

4.One just happened a few minutes ago - i unplugged an unused USB extension cable.

Here is my hijack this log

Please someone help - i included hijackthis log, malwarebytes log, AdAware screen shot, but Super AntiSpyware cannot run

Should I remove the stuff Adware or Malwarebytes found?
 
There are more people with malware than there are volunteers to help! Please be patient.
Please do the following first. When finished, continue with my second reply regarding HijackThis entries.
You have two Real Time Protection programs running. These will interfere with the scans:
Disable Tea Timer
  • Right click the Image
    icon_spybot.jpg
    (Spybot -SD Resident Icon) located in your system tray.
  • This will bring up the Spybot options menu, uncheck Resident Protection
    rightclickspybot.png
  • Launch Spybot S&D Program
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close Spybot
    MHoTT004.gif
Disable Ad-Watch
  • Right-click on the
    picture.jpg
    (Ad-Watch icon) in the system tray
  • Choose Settings from the Ad-watch options menu
    post-65-1216314425.gif

  • Make sure you are on the General Settings tab, turn OFF (noted with a red X) the option to "Load Ad-Watch at Startup"
  • In the left hand menu, click on the Status button
  • Turn OFF (noted with a red x) the option for "Regshield"
  • Close Ad-watch
  • Right-click on the (Ad-Watch icon) shield again down in the system tray
  • Choose "Turn off Ad-Watch" from the drop menu
    post-65-1216312833.gif
Credits for AdWatch and TeaTimer to Blind Dragon: http://www.tech-101.com/virus-malware-removal/topic34.html
Continue with reply to fix HijackThis entries.
 
I dont see the spybot icon

I dont see a spybot icon anywhere (not present in taskbar) nor Ad-Watch
 
After Real Time Protection has been temporarily disabled:

Please open HijackThis, and select Do a system scan only.

Place a checkmark next to the following entries (if present):
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\RunOnce: [DeleteGrabPro] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Orbitdownloader\GrabPro.dll"

Unless you have the Spybot S&D option "Lock homepage from changes" active or the system Administrator has put this into place, have HijackThis fix this.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Then, close all other open windows, leaving only HijackThis open, and select Fix checked.


Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK the following:
mdm.exe (Machine Debug Manager)
Viewpoint Manager/Player or Media
Orbitdownloader
GrabPro
dumprep.exe

Start> Run> services.msc> double click on Viewpoint> change startup type to Disabled> Stop the Service

The following are optional but recommended:
Control Panel> Add/Remove Programs> Uninstall the following:
Viewpoint
Orbitdownloader

Reboot the computer into Normal Mode> close and ignore the nag message after checking 'don't show this message again'. Stay in Selective Startup.

Empty the Recycle Bin.

Please UPDATE and rescan with Malwarebytes. Try Superantispyware now. Follow with new scan with HijackThis.

Attach new logs AND log from the AV program.
 
Should I remove the things found with MBAM and AdWare?

I cannot find the Spyboy or AdWatch Icon in the tray.

Should I remove the things found with MBAM and AdWare?
 
I have asked for your patience. I sleep at night!

Yes, whatever is found in Mbam and AdAware should be removed. Both have the option to check to remove what is found.The following lines appear first in Malwarebytes, and second in Superantispyware:
Mbam: * Make sure that everything is checked, and click Remove Selected.
SAS: * Make sure everything found has a checkmark next to it,then press 'Next'.

You may have the icons for TeaTimer and Ad Watch hidden:

Right click on the Taskbar> Properties> Notification area> CHECK 'hide inactive icons'> Customize> highlight the icons for both AdWatch and TeaTimer> change the dialog box to read 'always show.'> OK> Apply> OK

Please read the instructions for the programs you run carefully.
 
Sorry, i forgot. But right now, SAS works, MBAM found the threats and I removed them, but my google is still being re-directed. So what should i do next?

Also, the Spybot and AdWatch are not in the Taskbar System Tray settings.
 
Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK any entries for Spybot S&D and AdAware or AdWatch.

Please update Malwarebytes and Superantispyware and scan again, follow with rescan from HijackThis.

Attach all three logs for review. I need to see what we're dealing with.
 
Could I run both Scans at the same time?
AND
When I run hijack this, should I close all programs, including protection services?

and last:
Right now: I have not followed any steps thus far, should I start with both scans then hijack this.

Here are my 3 new logs:

NOTE: After removing the threats, I restarted my computer like it asked me. It froze the first time at the log in screen.
ALSO: I ran both scans simulatneously.
 
Could I run both Scans at the same time? NO
AND
When I run hijack this, should I close all programs, YES including protection services? NO> only Real Time Protection for TeaTimer and AdWatch.

and last:
Right now: I have not followed any steps thus far, should I start with both scans then hijack this. YES

If you followed the steps that have been set up, you wouldn't have second guessed everything. You are impatient to resolve the problem but you're not focusing on what has been set up:

ALSO: I ran both scans simulatneously.
This is likely why it froze.

Malwarebytes has a line that says:
* Make sure that everything is checked, and click Remove Selected.
You didn't do this because Mbam shows "No Action Taken"[/B]

Superantispyware has a similar line:
* Make sure everything found has a checkmark next to it,then press 'Next'.

Please stop using ShopAtHomeSelect. You are getting adware from it.
Please stop using SOTHINK SWF CONVERTER and delete it's entry- it has malware

Please follow what I am setting up. It is too time consuming to have to keep going over and over what has already been set up for you.

1. UPDATE and run Malwarebyte again. Be sure to check the line to remove what is found.
2. UPDATE and run Su[erantispyware again. Be sure to check the line to remove what is found.
3. Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries (if present):

C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
If you or the Administrator did not set this and you weren't aware of it, have HJ remove it:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

Take AskBar, MSconfig, PeerGurdian and BitTorrent , ZoneAlarm blocker off of startup:
Start> Run> msconfig>> enter Selective Startup> Startup menu> UNCHECK all of the above> Apply> OK
Control Panel> Add/Remove Programs> UNINSTALL each of the above programs.

Reboot the computer. Ignore and close the nag message after checking 'don't show again.'

You now have BitTorrent, a P2P files sharing program.
You now have the AskBar, a high source of adware
You now have PeerGuardian, an IP blocker for Windows.

I can only wonder what you got from BitTorrent!

I am withdrawing my assistance due to the addition of these programs and the continued disregard of following what has been set up for you.
 
BitTorrent - music
and well, i did clean the things with MBAM and SAS, and I just clicked the restart computer button from SAS first since I cleaned that second

I did not install AskBar nor ShopAtHome
 
I have worked with three people today who are deep in file sharing programs-and the malware that comes with them. It is discouraging to try and get their systems clean because as long as the P2P programs are being used, so the malware will come:

your SAS log shows:
Adware.ShopAtHomeSelect> only a visit or a shared file can do this- it doesn't have to be an installed program.

Trojan.SVCHost/Fake
C:\DOCUMENTS AND SETTINGS\JONATHANWEI\APPLICATION DATA\THINSTALL\SOTHINK SWF CONVERTER\1000000600002I\SVCHOST.EXE

And the AskBar is installed per the HijackThis log. Whenever you go to download anything, always check the page for any checkmarks already in the box for junk like the AskBar.
 
I uninstalled BitTorrent. And the ASKbar came with ZoneAlarm. The SoThink, I did not know it was a virus - I used it for converting FLVs and the ShopAtHome, it my my cousin who was doing online surveys. So yeah ~ When I scanned with updated MBAM, I found something like Trojan DNSchanger and when I clicked remove checked, my computer froze.
 
You got a Trojan when you either used SOTHINK SWF CONVERTER or from the site you downloaded it from.

The AskBar doesn't come with ZoneAlarm. It must be pre-checked on the site where you downloaded ZA. As mentioned, always check the download screen for pre-checks and uncheck them unless you give permission for that to download also.

The DNS Changer is a serious infection. I saw one infected file in the first Mbam log which you hadn't checked for removal, but oddly you didn't have the IP entries we usually see with that in the HijackThis log.

You'll recognize this Trojan by checking the DNS server assignments on the computer that does not update. Do this by following these steps:

  • [1] Start> Run>type in cmd
    [2] At the command prompt, type IPCONFIG /ALL and press Enter
    [3] You should be presented with the bunch of information, find the section for your Internet connection. It may be entitled Ethernet Adapter Local Area Connection or something similar.
    [4] Find the DNS Server section and double-check the numbers. Usually the DNS is a local IP like 192.168.0.1 or it could be a statically assigned IP from your ISP. If the DNS numbers are remotely similar to the following IPs then you have the DNS Changer Trojan. These IPs originate in Europe.
    85.255.113.122
    85.255.112.83
    85.255.116.148
    85.255.112.223

    [5]Type Exit at the command prompt to close it
Reset Reset router: You need to reset your router, even if you buy a whole new computer. Why? Because as you can see, any computer you connect to it will be connecting to a malicious server prior to reaching the net.


  • [1]. Make sure you know the setup information for your router. You want to access the router configuration pages, and write down any information necessary to authenticate with your ISP. Please write this down, if you do not have a record elsewhere of this information. When in doubt, call your ISP and ask what is needed in the authentication fields of the router.
    [2]. Shut down your computer, and any other computer connected to your router.
    [3]. On the back of the router, there should be a small hole or button labelled RESET.
    • Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
    • Unplug the router. Wait sixty seconds.
    • Now holding again the reset button, plug it back in.
    • Continue holding the reset button for twenty seconds.
    • Unplug the router again.
    [4]. With the router unplugged, start your computer. Run MBAM again.
    [5]. Connect again to the router. The turn the router back on. When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
    [6] After resetting your router - go to Start -> Run -> type in cmd and press enter -> at the prompt type ipconfig /flushdns -> type EXIT and press enter.
    [7]. After you are connected again - run a fresh Hijackthis log.

Please attach the Mbam and HJ new logs.
 
Resetting router

the router - It's locked up in my dad's room - what do i do?

the DNS part - its like 192.168.0.110

NOTE:
In SAS, no matter how many times I ask it to remove ShopAtHome it comes back. And these are from last night because I had to go do something. But are they okay?
 
well. i also have a router that my computer is connected to (downstairs) and a secndary one upstairs. which one do i cresest?
 
well, the one downstairs connects through somekinda white box that connects to the power outlet, and i got an antenna sticking off my computer connected to some router, but if you unplug the ones upstiars inernet dont work...so upstiars? and according to my dad the one down here connects to the one up there.
 
Please speak to the parent in the house. Perhaps he will understand what needs to be done and why.
 
He said no. None of the other computers are affefcted except mine - will a clean install of XP work?


EDIT: Only Mozilla was affected. Also, I cannot do any System Restore.
 
Status
Not open for further replies.
Back