TechSpot

Can't get PC fully clean, browser malware remains

By Jenovation
Feb 15, 2009
  1. Yesterday I opened up a faulty .exe which unleashed a mayhem of malware on my computer.
    I immediatly came to an ActiveX video download, and a whole bunch of other trash appeared. Upon restarting, my PC wouldn't even run without
    getting a blue screen of death during the boot. Fortunatly I got passed that and Malwarebytes was able to remove 20 infections.
    (nearly got a heart attack)

    Now my computer works fine, but it's still not 100% clean. Running a scan with both Malwarebytes and SpywareDoctor result in 0 infections.
    But I'm sure it's not fixed. First off I kept getting an error upon startup about a file xccdf16_090131a.dll.
    However after I manually deleted a rundll32.exe in Windows\System32\inf (where it shouldn't be I think)
    that error stopped.

    However my computer is still running a tiny bit slower and some processes, such as (you've guessed it) rundll32.exe in my task manager
    seem somehow suspicious... (although I can only find the file now in the system32 folder)

    The worst and most unpleasent thing is that my browser (mozilla) sometimes redirects me to a fake porntube website immediatly asking me to download
    a 'video object' which is just more malicious trash... ("best.tube.download.org" and a bunch of stuff after that, I'm not going to post an unsafe link)
    So I need to end Firefox with the taskmanager... it's very annoying, unsafe and I'd like my pc to be clean again.

    These popups are also trying to stop me from downloading software which could help me. It started appearing much more
    trying to download HijackThis.... Which I haven't been able to download since my Mozilla download log is showing downloads of .exe files
    are being blocked by trendsecure.com. I'm going to get it off my other PC now and I'll post a log when I get it installed.

    I really really hope you guys can help me, usually the few times I get virusses I can fix it myself with doing some forum searching,
    but now it's beyond me how to fix this......

    Thank you for your time and effort in advance
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  3. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    I've already uninstalled Spyware Doctor, I don't have anything else on it except Malwarebytes.
    (Is spywaredoctor unsafe?)

    The problem why I can't follow all the steps is because I cannot download any .exe files.
    I believe it's being blocked by the virus.

    I'm gonna see if I can get it of my other PC now.
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Try Safe Mode with Networking. Also read below


    The logs are paramount before attempting support
     
  5. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    alright, will get back to you asap with the three logs.

    Ok apparently SuperAntiSpyware found some stuff, here are the logs.
     

    Attached Files:

  6. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Hmm, I can't read that language
    But you do need an Antivirus (ie as per guide)

    Install Avira free AntiVirus
    And run a full scan
     
  7. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    Are you talking about Malwarebytes, should I reinstall in english?

    Currently doing the Avira scan, I'll post what it comes up with...
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    No you don't need to change your language for me ;) :D

    But, I'm getting a bit slower at the moment, I might need to sign off for a while (presently supporting about 4 member's threads)
     
  9. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    I ran Avira it found a bunch of other stuff, I'll attach the log (it seems full english ^_^ )

    I'll use my computer a while now, see if the problems are fixed.

    And also, thank you for taking the time, I really appreciate how you help all us people,
    it must be a fulltime job!
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Thanks :grinthumb

    Download Combofix
    Lots of info on its use h e r e
    Direct download h e r e

    Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
    Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
    ComboFix will also restart your computer (eventually) and then (eventually) create a log

    Save this log file to be attached to a new reply
    Restart back to Normal mode, and attach the Combofix log
     
  11. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    here's the combofix log, the headers appear to be in dutch, I could not choose an install language, sorry :(
     
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Good :grinthumb

    Run the Norton Removal tool (I saw some instances of horrible Norton on your computer)

    Uninstall SuperAntispyware

    Clear system restore points

    • Clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.

    Restart.

    How's it all going now? Good? Bad? OK?
     
  13. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    Am running Norton remove now.

    SuperAntispyware is removed.

    Made a restore point,
    however when typing cleanmgr I have no 'more option' tab,
    it just asks me to pick a drive (C: or D:)
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    C

    Or you can just run CCleaner (or do both)

    Actually I know this is getting a bit much, but I also run KCleaner ( I even select all the options - and mine runs great :grinthumb )
     
  15. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    Oh, I had already run CCleaner, I do it after almost every action.

    Ok so now when I startup there is a Windows version pick that appeared, is this normal? (One said Recovery something, it went away too fast to read)

    After running the Norton tool there is also now a red shield in the taskbar annoying me about windows security. (because I disable Firewall and Automatic updates)

    I have noticed the Firefox downloads are working again!!!

    That's definitly a good sign, now to see if those malicious popups have stopped too...



    EDIT: actually it seems a lot of standard services have been reenable that I turned off long time ago to get better perfomances
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Well enable Windows firewall on your Network connection
    But you can turn off "Security Center" (ie Disable) from going to Start->Run-> services.msc if you like

    Oh I forgot about that :(

    Yes I run these tools too
    And yes :( I then must set up Services again)..... Sorry
     
  17. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    Oh please don't apoligize, you have already helped me so much and I'm very grateful, disabling some stupid services is the least of my worries.

    I'm going to see if I still get the popups, but so far it seems great.
    Thank you so much! :)
     
  18. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    The shocking part is to some, is when they click on the Windows Start button, and see Internet Explorer up the top ! You know it's very hard to explain in words, how to put Firefox back there. But I still do it anyway.

    By the way if you used this before: http://www.mvps.org/winhelp2002/hosts.htm
    Guess what? Hosts file is reset too :(
    I'd say even if you never used that before, you need to download it
    That'll help :grinthumb
     
  19. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    actually explorer is not there with me.
    But I did disable it completely in the program access. Internet Explorer's no good for me to be used.......EVER.

    I have installed the Host files.
    And I really think my pc is clean now, I haven't gotten the pupops anymore and downloading files seems to work perfect agian.

    There is still a rundll32.exe running in my processes, (which I was suspicious about at first)
    but if you can tell me it's safe I'd consider
    the problem solved.

    thank you :)
     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Oh those rundll32.exe entries, removable from running a HJT scan, are just your system icons (like Video settings etc) located near your system clock (bottom right hand side) That's all ;)
     
  21. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    I think some pages are still being redirected :(
    Clicking your link to Avira on this thread is redirecting me to Clube Zero9, sum spanish advertisement stuff.

    Still something there......
     
  22. Gustafog

    Gustafog TS Rookie

    Having the same problem. For me the virus is only activated in firefox, not internet explorer. Tried every scan i can think of, but noone seems to find the virus. I don't want some relative clicking a link and get directed to best-tube-download.org.
     
  23. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    actually following the steps has fixed that fake porntube popup for me.
    but perhaps you should make your own thread so they can help you on your own system
     
  24. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Yes, how to create a New Thread info here: http://www.techspot.com/vb/topic114336.html

    Please download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")

    Download, and run the "RunThis.bat" in Safe Mode, as advised
    Then attach the log and a new HJT log
     
  25. Jenovation

    Jenovation TS Rookie Topic Starter Posts: 16

    ok here are the logs



    EDIT: previous redirects are now working again! yay! thanks!!! :)
    it might be over after all, if I notice something else I will post it here (if not closed by then)
    (and unless you notice something in the logs)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.