Done the 8 steps and now the virus

By pascaleledumbo
Apr 23, 2009
Topic Status:
Not open for further replies.
  1. Hey guys!

    Just as advised, I've done the 8 pre-liminary steps..

    And here are attached the logs from Malwarebytes anti-malware, SuperAntiSpyware and Hijackthis..

    The virus was detected by AVG as Win32/Heur and also trojan horse generic.

    The recurring symptoms was a pop-up via IE directing to a Chinese website.
    Each time AVG running a whole computer scan, it'll abruptly terminate and a msg saying "avgcsrvx.exe has encountered a problem..."
    I do have the screen shots if they're needed.

    AVG also keeps asking me to restart the laptop, but somehow after I restarted the virus still there and they're growing! After I re-scanned, the number of the virus would increased.

    So far those are the only symptoms. I just got this problem since last week, probably got infected from a mate's laptop.

    Any info on the logs and how to exterminate these threats is highly appreciated.

    Looking forward to hear from you guys!!

    Thanks heaps!!
  2. dayslayer8

    dayslayer8 Newcomer, in training Posts: 53

  3. pascaleledumbo

    pascaleledumbo Newcomer, in training Topic Starter Posts: 24

    hmm..Not my FFox homepage tho..I haven't tried on IE...

    I kno!! The experts aren't here yet...We gotta wait patiently...:D

    I'd like to add something in my question pls..

    My External HDD also got infected by a virus...And I think it's because it was plugged to my laptop..

    Anyway..The anti-virus on my uni detected it as "Mal/EncPk-GF"

    I can't post the link of the virus yet..But if needed i'll post it down..

    Since it got detected, I realized that suddenly there are "autorun.exe folder" and "System Volume Information" folders in it..

    And before, there was the WD icon on my HDD (the icon of the drive if it's being opened thru my computer...But now it's also gone..

    I decided to delete those folders and the anti-virus has stopped detecting the threat..

    Was that a smart move or totally a dumb one??

    Thank you for your help guys...
  4. B00kWyrm

    B00kWyrm TechSpot Paladin Posts: 1,550   +18

    Warez and Keygen Detected - AVG Running.

    One of my professors once said, "A word to the wise is sufficient."
    Another, being a bit of a wiseguy, quipped, "A word to the sufficiently wise isn't necessary." :haha:
    IF you want help, there are those here who are willing to help, but...

    First you need to get rid of (if you have)
    1. P2P software (including Torrent clients, like BitTorrent, Azureus, etc)
    2. Pirate Software (including Keygen software).
    It is evident that some of your issues derive from Warez sites and your rogue keygen. :suspiciou

    AND - you need to follow the steps strictly...
    It is not that other AV software is "bad" per se... just that the one's recommended are among the very best and their results (success) very predictable.
    So
    If you have trouble getting rid of the keygen and warez... this 8-step process will help you move in that direction. I will not be back for a few days, but some of those who are more experienced will be around, and will likely take a peek to see how you are doing. :wave:

    Another hint... tighten up your webbrowser security... In Firefox -> Tools -> options
    Pay attention to your settings in the privacy and security tabs...

    and... Well... stating the obvious / well known / "unnecessary" again... :eek: Watch your browsing habits...
    Big sources of malware... Warez, P2P/Filesharing (including music), Porn, (you get the idea).
  5. pascaleledumbo

    pascaleledumbo Newcomer, in training Topic Starter Posts: 24

    From the brief glance of the logs..I saw that most of the adware caught through the guest account on my laptop...*I'd be damned to lend it to someone else after this..*

    Alrite..I'll try to uninstall AVG and use AVIRA and i'll post up the next update..
    Btw..The KeyGen thingy...I'll get deleted by the anti-malware right? Or I'd need to uninstall it manually??

    Cheers..

    Greetings!!

    It seems that AVIRA has managed to contained the virus *yay!!*

    I did run malwarebytes twice and super anti spyware again also hijackthis..

    Here's their newest log...
    2 for Avira..The viruses+trojan..And the latest one..
    1 for malwarebytes
    1 for superantispyware
    1 for hijackthis log

    I am not so good at spotting dodgy entries there..So I'd really appreciated any help from experts around here for help..

    Cheers guys!! Hv a great weekend!

    Attached Files:

  6. B00kWyrm

    B00kWyrm TechSpot Paladin Posts: 1,550   +18

    Good start - now need expert hjt advice.

    I only gave it a quick glance, and
    I think that your HJT log could be cleaned up considerably, but not being an expert,
    I hope one of those who are more experienced with it will come along and offer their advice.
  7. pascaleledumbo

    pascaleledumbo Newcomer, in training Topic Starter Posts: 24

    B00kWyrm..Thank you for checking back on my logs..Really appreciate it..

    Yea...I haven't got any expert replying on my posts actually...>_<

    Umm..Experts @ TechSpot...Please do review my logs....As I really am don't understand the HJT logs stuffs..
  8. kritius

    kritius TechSpot Guru Posts: 2,087

    You don't appear to have a software firewall running on your system, while you may have the windows firewall enabled this will not be enough to protect you while online.

    This is because the windows firewall will only protect you from inbound traffic, not outbound. In order to make sure that you are properly protected here are some good free alternatives;


    Remember to use only ONE firewall though.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - Startup: 300995.lnk = C:\WINDOWS\system32\58FB35\300995.EXE
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    [​IMG]Combofix
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    Link 3
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

      [​IMG]

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      [​IMG]

      Click on Yes, to continue scanning for malware.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.