TechSpot

8 Steps completed, logs attached

By hellokitty[hk]
Mar 29, 2009
  1. I put my flash drive into an infected computer (a WHOLE ton of viruses, don't ask, silly me...) and put it back on my computer (seemingly clean, Avira and Spybot scan). When i double click on the removable disk from my computer, it says "Cannot find Setup.pif" or something of that like, happens on every clean computer now, though I've never left my flash drive on a clean computer for very long. The worst part is that now my computer doesn't give me the error anymore while all other computers do. I ran a full scan on the flash drive using Avira and I ran a whole system scan with spybot, all clean they says. I accidentally confirmed the virus: on a clean computer, I pluged it in and a virus alert came up and told me my flash drive was infected. I was in a hurry so I didn't catch what antivirus it was.

    My flash drive doens't exhibit any strange behavior and I don't see any suspicious files and I wouldn't mind reformatting the drive too much, but I would prefer not to because I would have to move all the files to my computer, format, then put them back on, maybe even put the virus back. My computer seems normal too.

    I just found an "autorun.inf" file on my flash drive said to autorun "setup.pif". I guess that means the clean computers do not have the virus and get the error, but my computer does!
    I deleted that line of code, which was also the only line.

    Thanks!
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The Malwarebytes log shows No action taken. That means you did not follow this: "* Make sure that everything is checked, and click Remove Selected."
    Please update the program and rescan, being sure to check the appropriate line.

    SuperAntispyware has a similar line: "Make sure everything found has a checkmark next to it,then press 'Next'"
    Please update the program and rescan, being sure to check the appropriate line.

    To prevent the Tracking Cookies: Each Account must do this: the accounts I see are anson, kitty, lli, rejpy1n1, mow, amy, gjcofnnr> it appears that none of you have been doing maintenance.
    Reset Cookies:
    You show the following entries:
    C:\Program Files\Orbitdownloader\orbitnet.exe> P2P service of Orbit Downloader\r
    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, boot into Safe Mode:

    Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK each of the following
    Control Panel> Add/Remove Programs> UNINSTALL all entries for the following:
    Reboot into Normal Mode. NOTE: the first boot after you have removed some entries on Startup will show a nag message that can be ignored and closed after checking 'don't show this message again.' Stay in Selective Startup.

    I am uncertain abut the Chrome App date entries. I have never seen them in a HijackThis log and my gut suggestion is to check and have HJ remove all. There are way too many programs and processes running and the log entries show signs of poor maintenance.

    It appears that there are seven user accounts set up and 4 browsers being used. No system can support this if disc clean-up, error check, defrag, uninstalling of unused programs, etc, aren't done.

    Please attach the new logs from Mbam, SAS and rescan with HJ when the above have been completed.
     
  3. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    There should be four user accounts: Anson, Kitty, LLi, Li Amy...?
    Yes four browsers sounds short. I think I have Chrome, Iexplorer, Firefox, Opera, Safari, K-lite (nobody's heard of), SpaceTime (again, unusual), I think i did at one point have another but it should be uninstalled. I also have songbird, if that counts as a browser.

    Wait so you want me too boot into safe mode without starting up orbitz, steam,or AskAbr (don't know what that is O.o) and uninstall them?

    I do want orbitz and Steam on my computer...do i get to reinstall them later?

    Reran the scans...I don't know what the logs say, but Malwarebytes didn't detect anything this time, I am going to assume I DID in fact remove all malware it found.
    I didn't attach the log because it is very short and just says there is no malware found:
    SUPER AnitSpyware similarly found only two tracking cookies and a ClickSpring (whatever that is...), definably more than the first scan...for some reason, I can't check the D:. I clicked next anyway and it went to a screen saying "SUPERAntiSpyware is now quarantining and removing the potentially harmful software detected on your system." Gave me a list, processing three files, then removing three files, and a reboot prompt came up and I will reboot soon.

    EDIT: I havn't rebooted yet, but I found a couple weird processes running...and I just looked into my startup, Theres a couple new entries into my registry: "Luoa, C:\windows]?racle\msconfig.exe" and "Cphefibi, FILE NOT FOUND C:\Windows\system32,??sks\t?skmger.exe"
    I looked and there is a new Oracle folder in my windows directory with a hidden 69kb msconfig.exe, modified today. Malwarebytes didn't find anything in it but Avira caught it as TR/Dldr.PurityScan.FK. I've deleted the whole folder. There are also two processes I don't recognize: PnkBstrA.exe and PnkBstrB.exe in my system32 folder.

    Im going to do another scan with Avira, Malwarebytes, and Superantispyware tonight O.o...
    But here's my attached hijackthis.
    Thanks for your help, sorry if my system need some cleaning.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    My apology. There are so many tracking Cookies that the display is difficult to read. Confirm Anson, Kitty, LLI and Amy, but show one more as 'mow':
    I was only able to observe processes currently running.
    I want you to boot into Safe Mode and first take them off of the Startup menu using msconfig.
    If you want to keep the programs, don't uninstall them. But be advised that you are putting the system at risk and will most certainly get malware!
    Don't assume. You ran the programs previously without removing the malware. I need to see the logs.
    Impossible to be 'more than the first scan'! I need to see the log.

    Click Spring is a Potentially Unwanted Program (PUP) detection. It is not a virus or Trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of. This was found in your first SAS log:
    It means that most likely you didn't follow the directions in SAS to check items found for removal, per my reply #2.
    Removal of some malware REQUIRES a reboot of the system. IF you did not follow that instruction, the items were not removed.

    TR/Dldr.PurityScan.FK is a Trojan Downloader. It downloads a malicious file and does registry modification. Description here:
    http://www.avira.com/en/threats/section/fulldetails/id_vir/4160/tr_dldr.purityscan.fk.html
    You need to run a full system scan, make sure the AV quarantines all entries, then delete the quarantined items. Rescan with AV to make sure all are gone.
    Someone downloaded and installed it on the system. It is related to the PunkBuster™ anti-gamecheat program. This is not new- it was on the first logs. http://www.punkbuster.com/

    You are not removing the entries I listed in the HJ log:
    And you now show this:
    Remove 024 Desktop from HijackThis:
    The bottom line here is that you are still getting malware, are failing to follow through on the instructions I give you. You have way too many processes starting on boot, you are using file sharing programs, it does not appear that any maintenance is being done on the system. To be honest, it's not going to do too much good to remove the malware. It's only a temporary stop-gap until the next time.

    Running additional cleaning programs are indicated- but I'm not sure it woul;d do any good.
     
  5. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    I did reboot after my Avira finished.

    This is getting really weird and confusing, so I just started again from the beginning. CCleaned Avira scan...I need to reboot right now, I will attach logs and run a hijack this momentarily in my next edit.

    Thanks again.
    Logs attached, running yet another Avira scan. By the way,

    Yes my computer is messy, my goal was to mop it up before the end of the month, but I can be a little late. Do you have any suggestions? I've already cut down on my startup a lot, worthless mess a couple weeks ago. The last time I remember seeing the PnkBuster's was a long time ago when I played a game that used punk busters, I remember now I thought it was a virus before. I can take that out of my startup too right? I don't know how or why its there anymore.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please have someone assist you in wiping the system clean, reformatting and reinstalling the operating system. I am not going to waste my time going through logs, setting up information for you to follow then seeing none of it was done! There are too many users on the system, none of which care about security or maintenance.
     
  7. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    If it makes you happier, my latest Avira and Malwarebytes came up clean, I have since removed orbitz, AskBar and steam from my startup, and I have gone back into the web tab of custimize desktop and cleared everything for ALL users except my home page, not just my self.
    And i went and deleted the files, except for the AutorunsDisabled, which are the startup entries that I have disabled...
    I also ran a defrag.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I was supporting one member once (but I can't find the old thread)
    And all his logs showed that he was not following what I said
    So I said that you must remove these entries (lots of them)
    But he said he did, and we just arguing in circles, and doing the same thing

    Pretty sure I posted this, and it got solved:

    Here's another 8-Steps:

    Download the following 4 tools, and print these instructions

    1. Download VundoFix; Trojan.Vundo Removal Tool; VirtumundoBeGone and ComboFix.
    2. Go Offline - pull the cable network, turn off wireless card, turn off your modem.
    3. Restart computer and press F8 to run Windows in Safe Mode
    4. Run VundoFix.. Click on the Scan for Vundo. Scanning will begin, which takes a long time. In the white box will display the names of infected files. After the scan is complete click Remove Vundo, removal will begin. Confirm by clicking Yes. The application should ask for permission to restart your computer - click Yes. Start Windows in Safe Mode again.
    5. Run FixVundo. Click Start, and then follow the instructions. It should be noted that this application can deal only with older mutations Vundo (Virtumonde).
    6. Run VirtumondoBeGone. Click Continue and wait for the report.
    7. Run ComboFix. Then, in the two windows that appear click Yes, and start scanning and removal of any Vundo (Virtumonde) infection. During this operation, you are not allowed to move the mouse or perform other actions. After the scan is complete, program will show a text file - a report from the program's action.
    8. Restart computer and run Windows normally.
     
  9. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    I don't have to turn off my modem AND pull my cable too...?

    Ok, I am downloading the apps right now.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Actually I'm going to remove that line ;)

    I need to add SDFix anyway

    Please download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")

    Download, and run the "RunThis.bat" in Safe Mode, as advised
    Then attach the log and (after the SDFix scan) a new HJT log
    Oh by the way, it says that it may take 20mins to scan! (Mine took over an hour to complete!)
     
  11. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    I ran them all in safe mode.
    First scan came clean, so I didn't restart, the Symantec FivVundo also came clean...I think VirtumondoBeGone and ComboFix might have done something, wasn't paying too much attention.

    I will go run the SDFix scan now.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    kimsland, I'll let you handle this- you seem to be getting further than I did.

    kitty, it's not a matter of 'making me happier'. You made it clear in the beginning that you wanted to keep the P2P programs. You ran the cleaning programs, but did not check for removal. You were continuing to get new malware and you weren't removing the entries I gave you.

    Now, if some of that has changed, maybe you can get the system cleaned up. You are in good hands with kimsland.
     
  13. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    finished scan, here are the logs:
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    µTorrent
    Azureus
    Orbitdownloader

    And

    Microsoft SQL Server
    DAEMON Tools
    K-Meleon web browser
    Rainlendar desktop calendar
    And all the horrible GoogleUpdate stuff
    incl. googletalk; Google Photos etc etc

    And

    Windows Live
    Messenger
    AskBar

    You have a whopping 34 Windows startups (I have 1, by the way)
    And a further 9 Services startups

    !

    Um, I wouldn't know where to begin :/
    You can read here on P2P issues: http://www.techspot.com/vb/topic124748.html
    Certainly with all this stuff installed Malware support is next to useless, as you'll highly likely get re-infected, I'd say... Now.

    But, the real issue is your "normal" computer and Internet use
    Windows will never be able to work properly with all this (actually it's amazing it runs) I advise strongly on getting a Linux bootcd (ie Ubuntu) on your File Sharing habits. As for all the rest - are you a 16 yo girl or some "dude" teenager kid.

    I hope you have made backups of your data
    And whatever you do don't keep sensitive info on that computer, I reckon even I could log into your computer, in about 30seconds ! (of which I wouldn't ie I don't actually like malware.

    Sorry I can't help you any further, especially since you'll be back time and time again asking for the same help. The fix is grow up (I need to be truthful) and remember that support may not always help you freely. ie a costly exercise to learn, over the years. Or I could just be jealous that I'm not young. Either way, if I had that computer here, it would be format to fix it all up. Until you got at it again of course :(
     
  15. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    I am probably most worried about malware, not startups, which DO need to be cleaned some more (I cleaned it about 10 minutes ago.

    I don't know why everyone is so hard on orbitz, its a great download manager, yes it does download off other users if possible to speed up download, but it is certainly not a torrenting program.

    I use legitimate torrents for files otherwise ridiculous to download without a download manager *COUGH*orbitz*COUGH*, like the Ubuntu ISO i already have. The last three things I remember downloading (probably the only things i've torrented all year) are the official Razer TSL Finals JianFe v Draco, StarLeague MSL Finals Zero v Practice, StarLeague S?%#%$???? finals, Bisu v ?%^$?????, or something like that.


    Right now in my newly cleaned startup folder, all users startup folder, local machine startup regs, and my own startup regs are:

    Arctosa - Keyboard drivers
    avgnt - Avira
    EVGAPrecision - Graphics card monitor
    Lachesis - Mouse drivers
    RTHDCPL - Real HD audio drivers
    EVGAPrecison - Opens the program
    NvCplDaemon, NvMediaCenter, nwiz - NVidea SUPERFLUOUS drivers.

    now for the more subjective ones:

    LogonStudio - make the logon screen look too cool to not have.
    googletalk - Alerts me to new emails
    Rainlendar2 - Calendar, must have some form of order :).
    RocketDock - First successfully OS ported app, its an OSX taskbar.
    WindowsLiveMessenger - Messenger...

    and that ^ should be everything in those four main startup area's, haven't looked throught the others yet.


    How so, any specifics, I will probably try and prevent more of this. Though I think the original virus I made this thread for was from a flash drive O.O.

    What would that one be?

    Wha? Not work properly? I don't see anything different aside from the UI and speed, and even before I cleaned my startup (like in those logs), would be considered semi-organized for this computer, I have never really seen any problems even with a LOADED startup and more...

    No of course not, and nothing I couldn't get off the internet quickly. Actually, there is no password for at least one of the accounts, hope that keeps you out for a bit longer :p.

    Please do, it won't hurt my feelings ...:), and thanks.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Kitty, you're like a kid playing with toys! And you have no clue whatat 'torrenting' program is. Two of us have told you that unless you change your ways, your computer system will be constantly getting infected with malware.

    And of all those Startups you listed, the ONLY one that NEEDS to start on boot is Avira.

    The rest is just eye candy.
     
  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    This is how so.

    But I don't want to defend my support
    Or even prove why support suggest the best answers

    It's up to you to decide if you want to take that support on or not.
    Truthfully I'm not concerned
    I had one member who argued the same ol' P2P argument with me, and in the end they said they would keep it, or use it again. My response was thanks for the update, you are all done now :grinthumb Actually they seemed quite happy too ;) Until I saw them come back a month later with the exact same issues. I decided not to even reply.

    Anyway, your choice and all
     
  18. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    Ok, I will uninstall Azureus, its defiantly not helping especially since its so bloated.

    Now I am wondering, is having utorrent installed and not using it dangerous, if it is, I will remove utorrent also, else its staying.

    I am probably keeping orbitz no matter what O.O...
    Anyway, yep I think this is about done here,

    So thanks everyone, and hope not to see you on any of MY 8 steps.

    EDIT, ever since I stopped k-melon loader, i've noticed a few hundred millisecond increase whenever I open K-Melon :haha:
    Eh, also do you know of any good defraggers? Preferably freeware? Unless the windows defrag is fine, in that case you can just ignore this.
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I'll watch out for any further (future) Malware faults you have ;)
    As for: "is Utorrent safe to keep", obviously no, as it depends on the person's downloading (and consequential uploading) habits. From your responses I've made this assumption that you may not be experienced enough on system failures just yet ;) :) :p

    Windows Defrag is just fine. I've supported too many alternative defraggers that Windows will fault with certain other programs installed

    Some support members suggest alternatives. Basically there's no need. I've written a lot on Windows defrag at TechSpot, and got right into it and other alternatives. Defrag only needs to be done when your system becomes less responsive or when Windows states to do it. Otherwise you are just putting further strain on the hard drive (now I know this can be also said for a fragmented drive, but my point being Windows defrag every 3 to 6 months, is enough for anyone)

    Anyway, good luck, thanks for the update, you are all done now :grinthumb
     
  20. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Topic Starter Posts: 4,378   +127

    Sorry, one more quick question, I heard font files eat a lot of time loading, does windows just load the fonts in your fonts folder, as in, could I make a FontsDisabled folder and move the majority of unused fonts into it and speed up load times?

    Thank you...again.
     
  21. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Yes you can

    But you cannot move out the Windows required fonts
    Well I mean it is possible of course, but if you move the Windows required fonts out, then it is possible to corrupt Windows.

    All other "extra" fonts can be moved out (to a disabled fonts folder, if you like)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.