TechSpot

Am I Clean?

By Newby
Jul 13, 2007
  1. Dear All
    I was recently infected by spyware/malware which caused unwanted pop-ups, system alerts and red exclamation marks on my task bar. I have followed steps 1-15 from the Viruses/Spyware/Malware, preliminary removal instructions and think its gone! No more pop-up or alets and now i have manually removed the shortcuts from my favorites the system seems clean:)
    HJT log attached, please advise.
    Also any further protection i should take to prevent other problem?

    Thanks
    Dan
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Regarding the following entry in your HJT log:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

    Did you set this proxy yourself or do you know what it is? Also, do you get your Internet from orange.co.uk? Please answer these questions in your next reply.

    Please do the following.

    Navigate to www.virustotal.com.

    Click the Choose... button.

    Navigate to the following file.

    C:\WINDOWS\msole.dll

    Click Open, then click Send File.

    Please post the results here, as well as fresh HJT, ComboFix, and AVG Anti-Spyware logs (as per the preliminary removal instructions) as attachments into this thread.

    Regards :)

    This thread is for the use of Newby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. almcneil

    almcneil TS Guru Posts: 1,277

    Regular Computer Maintenance

    I adivse my customers to perform regular computer maintenance. How often depends on how much you use the Internet and what kind of activities. For typical users, I'd say 40 to 60 hours of Internet use. For those who engage in high risk activities such as peer-to-peer filesharing (i.e. Limewire, Kazaa, Ares, ... ) or visiting illicit web sites (gambling, pornography, psychic, ... ) about every 10 hours.

    Here are my 10 steps for regular computer maintenance:

    1. Backup any important new files
    2. Flush Internet caches (Internet Options)
    3. Run anti-rootkit scan (AVG Anti-Rootkit)
    4. Run anti-virus scan
    5. Run anti-spyware scans (Ad-Aware 2007, Spybot Search & Destroy, AVG Anti-Spyware)
    6. Empty recycling bin
    7. Restart computer
    8. Download/install any new Windows updates
    9. Create system restore point
    10. Defrag internal harddisk drive
     
  4. Newby

    Newby TS Rookie Topic Starter

    Thanks for the reply

    Hi kitty500cat
    In answer to your query I don't know what the proxy is, sorry!
    Have attached the result of the total scan (copied & pasted in to a text doc, hope that's okay), new HJT log and Combofix log. Sorry for the delay Combofix wont run unless I turn off Previx 2 as it seems to conflict. Last AVG Anti-Spyware log was clean (that's why I didn't attach it previously).
    Thanks a lot for the assistance:)
     
  5. Newby

    Newby TS Rookie Topic Starter

    No attachment

    Just saw the virustotal log did not attach, see below:

    Antivirus Version Last Update Result
    AhnLab-V3 2007.7.14.0 2007.07.13 no virus found
    AntiVir 7.4.0.39 2007.07.13 no virus found
    Authentium 4.93.8 2007.07.13 no virus found
    Avast 4.7.997.0 2007.07.13 Win32:Rozbonbon
    AVG 7.5.0.476 2007.07.13 no virus found
    BitDefender 7.2 2007.07.13 Generic.Downloader.NXM.5C8D1752
    CAT-QuickHeal 9.00 2007.07.13 no virus found
    ClamAV devel-20070416 2007.07.13 no virus found
    DrWeb 4.33 2007.07.13 Trojan.DownLoader.25864
    eSafe 7.0.15.0 2007.07.10 no virus found
    eTrust-Vet 30.8.3783 2007.07.13 no virus found
    Ewido 4.0 2007.07.13 no virus found
    FileAdvisor 1 2007.07.14 no virus found
    Fortinet 2.91.0.0 2007.07.13 no virus found
    F-Prot 4.3.2.48 2007.07.13 no virus found
    Ikarus T3.1.1.8 2007.07.13 Trojan.Win32.Agent.aka
    Kaspersky 4.0.2.24 2007.07.14 no virus found
    McAfee 5074 2007.07.13 no virus found
    Microsoft 1.2704 2007.07.12 no virus found
    NOD32v2 2397 2007.07.13 no virus found
    Norman 5.80.02 2007.07.13 no virus found
    Panda 9.0.0.4 2007.07.13 Generic Malware
    Sophos 4.19.0 2007.07.06 no virus found
    Sunbelt 2.2.907.0 2007.07.14 no virus found
    Symantec 10 2007.07.14 no virus found
    TheHacker 6.1.6.146 2007.07.13 no virus found
    VBA32 3.12.0.2 2007.07.13 Trojan.DownLoader.25864
    VirusBuster 4.3.23:9 2007.07.13 no virus found
    Webwasher-Gateway 6.0.1 2007.07.14 Win32.UPXpacked.gen!94 (suspicious)
    Aditional information
    File size: 53760 bytes
    MD5: 9a2872902d00b52ca4ecaddfd1bbbd4b
     
  6. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Run HijackThis and do a system scan. Place a check in the box next to the following entries (if there):

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;localhost

    Close all browser windows, including this one.

    Click the Fix Checked button in HJT. Once it's done fixing, close HJT.

    Please reopen the browser window and follow the rest of these instructions.

    Navigate to the file C:\WINDOWS\msole.dll (if there). Rename it to msole.dll.bak

    Follow the instructions for VirusTotal again, except scan the following files instead:

    C:\WINDOWS\system32\VchReg.dll
    C:\WINDOWS\ua2.dll

    Please post the results here.

    Regards :)

    This thread is for the use of Newby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  7. Newby

    Newby TS Rookie Topic Starter

    Thank You

    Hi Again
    Sorry for the delay, these different time zones make it hard to communicate (i'm in the UK).
    Ran Hijack This and checked the boxes as recommended. Found C:\WINDOWS\msole.dll (but it had the prefix msole.dll.vir) and changed it to msole.dll.bak.
    Used VirusTotal, logs attached, both were clean:approve:
    Did you want another HJT log?
    Thanks again for your help!
    Dan
     
  8. Newby

    Newby TS Rookie Topic Starter

    Now No DVD/CD ROM

    Hello Again
    System seems to be running fine, the only problem now is the computer dosn't seem to see the DVD/CD ROM!
    In Device manager the properties for the two Drives I have (Pioneer DVD WR DVR -108 &IDE DVD-ROM 16x) has the following message in the device status: "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)"
    I have tried uninstalling and reinstalling, but no joy, can you help?

    Thanks Again!:confused:
     
  9. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Please post one more HJT log.

    As for your problem with the optical drives, you should open a new thread in our Device Drivers forum.

    Regards :)

    This thread is for the use of Newby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  10. Newby

    Newby TS Rookie Topic Starter

    Log attached, hopefully for the last time.
    I wasn't sure if the corrections made might have influenced the drivers?
    Will post thread in appropriate forum.
    Really appreciate all your support.
    Dan:grinthumb
     
  11. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Have HJT fix this inactive entry yet:

    O21 - SSODL: msole - {B84C6E99-0933-463B-A2FB-1AD892FF143D} - C:\WINDOWS\msole.dll (file missing)


    I believe your system is clean now.

    Please do the following yet.

    Delete all files in AVG Anti-Spyware Quarantine folder (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine).

    Turn off system restore (XP/ME only). See how HERE
    This will remove all your old system restore points and any malware hiding in them.

    After that turn system restore back on.
    This will create a new, clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article. This can help to prevent future infections.

    Should you have further virus/spyware problems, please post in this thread.

    Regards :)

    This thread is for the use of Newby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  12. Newby

    Newby TS Rookie Topic Starter

    Have Removed recomended File

    Hi kitty500cat
    Have Removed recomended File, new log attached.
    I did turn off system restore previously, then turned back on...
    Will follow rec and also read article.
    Can't thank you enough, you are a star!:)
    Fingers crossed i can get my drives back now!
    Newby (Dan)
     
  13. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    HJT log looks good.

    As for the optical drives, have you tried visiting Windows Update (http://update.microsoft.com/)? That might detect the driver problem and offer a new driver for download.

    If that doesn't work, go to start->run, and type in devmgmt.msc. Press Enter.

    See if the drives are listed there at all.

    Regards :)
     
  14. Newby

    Newby TS Rookie Topic Starter

    All Good!!

    Dear Kitty500cat & all at Techspot
    System now back to normal, no more spyware and my drives are working again!!:grinthumb
    I ended up following some advise from Microsoft; had to remove upper & lower registry filters and hey presto after a restart the drives reappeared.

    Just wanted to say thanks to anyone who assisted me, especially Kitty500cat.

    Best wishes
    Dan
     
  15. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    You're welcome. I'm glad to know it worked out for you.

    If you have any further virus/spyware problems, please post in this thread.

    Regards :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...