TechSpot

3 Trojans and a Worm

By jwei44
May 14, 2009
  1. I did a virus scan with AVG Free, and found:
    Worm/Autorun
    TrojanHorse Agent2.GUF x 2
    These couldn't be removed because they "didn't exist"
    TrojanHorse SHeur2.AFE

    Now, I cannot run Spybot Search & Destroy, SUPERAntispyware - crashes upon startup, but I got Malware to run. Also, when using Google, if I serach something, most of the links redirect me to other search engines and ADs. Please help. If you need any logs let me know.

    Also, I got three BSOD'S in the last month - it was a flash so I could not read it.

    1. The first one happened when I clicked the Start Button. (Computer woke up from Hibernate 6 hours ago)
    2. The second one happened when I unplugged my iPod from charging (10~15 minutes after I turned the computer on) with the Safely Remove Hardware.
    3. The third one happened when I right clicked iTunes.

    4.One just happened a few minutes ago - i unplugged an unused USB extension cable.

    Here is my hijack this log

    Please someone help - i included hijackthis log, malwarebytes log, AdAware screen shot, but Super AntiSpyware cannot run

    Should I remove the stuff Adware or Malwarebytes found?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There are more people with malware than there are volunteers to help! Please be patient.
    Please do the following first. When finished, continue with my second reply regarding HijackThis entries.
    You have two Real Time Protection programs running. These will interfere with the scans:
    Disable Tea Timer
    • Right click the Image[​IMG] (Spybot -SD Resident Icon) located in your system tray.
    • This will bring up the Spybot options menu, uncheck Resident Protection
      [​IMG]
    • Launch Spybot S&D Program
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close Spybot
      [​IMG]
    Disable Ad-Watch
    • Right-click on the [​IMG] (Ad-Watch icon) in the system tray
    • Choose Settings from the Ad-watch options menu
      [​IMG]
    • Make sure you are on the General Settings tab, turn OFF (noted with a red X) the option to "Load Ad-Watch at Startup"
    • In the left hand menu, click on the Status button
    • Turn OFF (noted with a red x) the option for "Regshield"
    • Close Ad-watch
    • Right-click on the (Ad-Watch icon) shield again down in the system tray
    • Choose "Turn off Ad-Watch" from the drop menu
      [​IMG]
    Credits for AdWatch and TeaTimer to Blind Dragon: http://www.tech-101.com/virus-malware-removal/topic34.html
    Continue with reply to fix HijackThis entries.
     
  3. jwei44

    jwei44 TS Rookie Topic Starter

    I dont see the spybot icon

    I dont see a spybot icon anywhere (not present in taskbar) nor Ad-Watch
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    After Real Time Protection has been temporarily disabled:

    Please open HijackThis, and select Do a system scan only.

    Place a checkmark next to the following entries (if present):
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\RunOnce: [DeleteGrabPro] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Orbitdownloader\GrabPro.dll"

    Unless you have the Spybot S&D option "Lock homepage from changes" active or the system Administrator has put this into place, have HijackThis fix this.
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    Then, close all other open windows, leaving only HijackThis open, and select Fix checked.


    Boot into Safe Mode
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK the following:
    mdm.exe (Machine Debug Manager)
    Viewpoint Manager/Player or Media
    Orbitdownloader
    GrabPro
    dumprep.exe

    Start> Run> services.msc> double click on Viewpoint> change startup type to Disabled> Stop the Service

    The following are optional but recommended:
    Control Panel> Add/Remove Programs> Uninstall the following:
    Viewpoint
    Orbitdownloader

    Reboot the computer into Normal Mode> close and ignore the nag message after checking 'don't show this message again'. Stay in Selective Startup.

    Empty the Recycle Bin.

    Please UPDATE and rescan with Malwarebytes. Try Superantispyware now. Follow with new scan with HijackThis.

    Attach new logs AND log from the AV program.
     
  5. jwei44

    jwei44 TS Rookie Topic Starter

    Should I remove the things found with MBAM and AdWare?

    I cannot find the Spyboy or AdWatch Icon in the tray.

    Should I remove the things found with MBAM and AdWare?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have asked for your patience. I sleep at night!

    Yes, whatever is found in Mbam and AdAware should be removed. Both have the option to check to remove what is found.The following lines appear first in Malwarebytes, and second in Superantispyware:
    Mbam: * Make sure that everything is checked, and click Remove Selected.
    SAS: * Make sure everything found has a checkmark next to it,then press 'Next'.

    You may have the icons for TeaTimer and Ad Watch hidden:

    Right click on the Taskbar> Properties> Notification area> CHECK 'hide inactive icons'> Customize> highlight the icons for both AdWatch and TeaTimer> change the dialog box to read 'always show.'> OK> Apply> OK

    Please read the instructions for the programs you run carefully.
     
  7. jwei44

    jwei44 TS Rookie Topic Starter

    Sorry, i forgot. But right now, SAS works, MBAM found the threats and I removed them, but my google is still being re-directed. So what should i do next?

    Also, the Spybot and AdWatch are not in the Taskbar System Tray settings.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK any entries for Spybot S&D and AdAware or AdWatch.

    Please update Malwarebytes and Superantispyware and scan again, follow with rescan from HijackThis.

    Attach all three logs for review. I need to see what we're dealing with.
     
  9. jwei44

    jwei44 TS Rookie Topic Starter

    Could I run both Scans at the same time?
    AND
    When I run hijack this, should I close all programs, including protection services?

    and last:
    Right now: I have not followed any steps thus far, should I start with both scans then hijack this.

    Here are my 3 new logs:

    NOTE: After removing the threats, I restarted my computer like it asked me. It froze the first time at the log in screen.
    ALSO: I ran both scans simulatneously.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you followed the steps that have been set up, you wouldn't have second guessed everything. You are impatient to resolve the problem but you're not focusing on what has been set up:

    This is likely why it froze.

    Malwarebytes has a line that says:
    * Make sure that everything is checked, and click Remove Selected.
    You didn't do this because Mbam shows "No Action Taken"[/B]

    Superantispyware has a similar line:
    * Make sure everything found has a checkmark next to it,then press 'Next'.

    Please stop using ShopAtHomeSelect. You are getting adware from it.
    Please stop using SOTHINK SWF CONVERTER and delete it's entry- it has malware

    Please follow what I am setting up. It is too time consuming to have to keep going over and over what has already been set up for you.

    1. UPDATE and run Malwarebyte again. Be sure to check the line to remove what is found.
    2. UPDATE and run Su[erantispyware again. Be sure to check the line to remove what is found.
    3. Please open HijackThis, and select Do a system scan only.
    Place a checkmark next to the following entries (if present):

    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    If you or the Administrator did not set this and you weren't aware of it, have HJ remove it:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


    Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

    Take AskBar, MSconfig, PeerGurdian and BitTorrent , ZoneAlarm blocker off of startup:
    Start> Run> msconfig>> enter Selective Startup> Startup menu> UNCHECK all of the above> Apply> OK
    Control Panel> Add/Remove Programs> UNINSTALL each of the above programs.

    Reboot the computer. Ignore and close the nag message after checking 'don't show again.'

    You now have BitTorrent, a P2P files sharing program.
    You now have the AskBar, a high source of adware
    You now have PeerGuardian, an IP blocker for Windows.

    I can only wonder what you got from BitTorrent!

    I am withdrawing my assistance due to the addition of these programs and the continued disregard of following what has been set up for you.
     
  11. jwei44

    jwei44 TS Rookie Topic Starter

    BitTorrent - music
    and well, i did clean the things with MBAM and SAS, and I just clicked the restart computer button from SAS first since I cleaned that second

    I did not install AskBar nor ShopAtHome
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have worked with three people today who are deep in file sharing programs-and the malware that comes with them. It is discouraging to try and get their systems clean because as long as the P2P programs are being used, so the malware will come:

    your SAS log shows:
    Adware.ShopAtHomeSelect> only a visit or a shared file can do this- it doesn't have to be an installed program.

    Trojan.SVCHost/Fake
    C:\DOCUMENTS AND SETTINGS\JONATHANWEI\APPLICATION DATA\THINSTALL\SOTHINK SWF CONVERTER\1000000600002I\SVCHOST.EXE

    And the AskBar is installed per the HijackThis log. Whenever you go to download anything, always check the page for any checkmarks already in the box for junk like the AskBar.
     
  13. jwei44

    jwei44 TS Rookie Topic Starter

    I uninstalled BitTorrent. And the ASKbar came with ZoneAlarm. The SoThink, I did not know it was a virus - I used it for converting FLVs and the ShopAtHome, it my my cousin who was doing online surveys. So yeah ~ When I scanned with updated MBAM, I found something like Trojan DNSchanger and when I clicked remove checked, my computer froze.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You got a Trojan when you either used SOTHINK SWF CONVERTER or from the site you downloaded it from.

    The AskBar doesn't come with ZoneAlarm. It must be pre-checked on the site where you downloaded ZA. As mentioned, always check the download screen for pre-checks and uncheck them unless you give permission for that to download also.

    The DNS Changer is a serious infection. I saw one infected file in the first Mbam log which you hadn't checked for removal, but oddly you didn't have the IP entries we usually see with that in the HijackThis log.

    You'll recognize this Trojan by checking the DNS server assignments on the computer that does not update. Do this by following these steps:

    • [1] Start> Run>type in cmd
      [2] At the command prompt, type IPCONFIG /ALL and press Enter
      [3] You should be presented with the bunch of information, find the section for your Internet connection. It may be entitled Ethernet Adapter Local Area Connection or something similar.
      [4] Find the DNS Server section and double-check the numbers. Usually the DNS is a local IP like 192.168.0.1 or it could be a statically assigned IP from your ISP. If the DNS numbers are remotely similar to the following IPs then you have the DNS Changer Trojan. These IPs originate in Europe.
      85.255.113.122
      85.255.112.83
      85.255.116.148
      85.255.112.223

      [5]Type Exit at the command prompt to close it
    Reset Reset router: You need to reset your router, even if you buy a whole new computer. Why? Because as you can see, any computer you connect to it will be connecting to a malicious server prior to reaching the net.


    • [1]. Make sure you know the setup information for your router. You want to access the router configuration pages, and write down any information necessary to authenticate with your ISP. Please write this down, if you do not have a record elsewhere of this information. When in doubt, call your ISP and ask what is needed in the authentication fields of the router.
      [2]. Shut down your computer, and any other computer connected to your router.
      [3]. On the back of the router, there should be a small hole or button labelled RESET.
      • Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      • Unplug the router. Wait sixty seconds.
      • Now holding again the reset button, plug it back in.
      • Continue holding the reset button for twenty seconds.
      • Unplug the router again.
      [4]. With the router unplugged, start your computer. Run MBAM again.
      [5]. Connect again to the router. The turn the router back on. When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [6] After resetting your router - go to Start -> Run -> type in cmd and press enter -> at the prompt type ipconfig /flushdns -> type EXIT and press enter.
      [7]. After you are connected again - run a fresh Hijackthis log.

    Please attach the Mbam and HJ new logs.
     
  15. jwei44

    jwei44 TS Rookie Topic Starter

    Resetting router

    the router - It's locked up in my dad's room - what do i do?

    the DNS part - its like 192.168.0.110

    NOTE:
    In SAS, no matter how many times I ask it to remove ShopAtHome it comes back. And these are from last night because I had to go do something. But are they okay?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You ask your dad to unlock the door and reset the router.
     
  17. jwei44

    jwei44 TS Rookie Topic Starter

    well. i also have a router that my computer is connected to (downstairs) and a secndary one upstairs. which one do i cresest?
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Whichever one you use to get your internet access.
     
  19. jwei44

    jwei44 TS Rookie Topic Starter

    well, the one downstairs connects through somekinda white box that connects to the power outlet, and i got an antenna sticking off my computer connected to some router, but if you unplug the ones upstiars inernet dont work...so upstiars? and according to my dad the one down here connects to the one up there.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please speak to the parent in the house. Perhaps he will understand what needs to be done and why.
     
  21. jwei44

    jwei44 TS Rookie Topic Starter

    He said no. None of the other computers are affefcted except mine - will a clean install of XP work?


    EDIT: Only Mozilla was affected. Also, I cannot do any System Restore.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The router needs to be reset.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...