TechSpot

Having another virus issue

By Sheena314
May 23, 2010
  1. For some reason, whenever I do a scan, my computer keeps saying items are detected, so I am not sure if a virus keeps reinfecting.
    Here is my computer info:

    Processor type: AMD Athlon (tm) 64 X2 Dual-core processor tk-55 1.80 GHz

    RAM: 2GB

    Hard Drive size/free space:
    Local Disk (c)- 82.7GB free/140GB
    HP recovery- 1.80GB free/ 8.42GB

    C: 84.1GBfree/140GB
    D: 754MBfree/ 7.35GB
    H: 1.03GBfree/1.06GB

    I don't know why, but everytime I run GMER it shuts down my computer before it finishes. I tried unchecking the device option and also running the program in safe mode, but it didn't work. Is there another program I can use?

    My other logs are attached.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run the following two programs:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Then Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please disable or uninstall Ares and any other file sharing program. If you choose not to uninstall, do not use while I am helping you. Don't use any other cleaning programs or scans unless I direct you to. Do not run a Registry cleaner or make any changes in the Registry.

    Please leave the Combofix report and Eset log in your next reply.
     
  3. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    Okay here are the requested logs,(they are long so I am just going to attach them).
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Go ahead and run this while I check Combofix:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      :Services
      :Reg
      
      :Files  
      C:\Users\Gordon\Documents\Downloads\FireFox Downloads\install_flash_player(2).exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  5. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    When I restarted the computer, the log came up automatically:
    ===========================================================
    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Users\Gordon\Documents\Downloads\FireFox Downloads\install_flash_player(2).exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Gordon
    ->Temp folder emptied: 67507 bytes
    ->Temporary Internet Files folder emptied: 5341965 bytes
    ->Java cache emptied: 1826 bytes
    ->FireFox cache emptied: 33064587 bytes
    ->Google Chrome cache emptied: 130460128 bytes
    ->Flash cache emptied: 23647 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Sheena
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1090 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 40010 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 161.00 mb


    OTM by OldTimer - Version 3.1.12.0 log created on 05242010_174835

    Files moved on Reboot...
    File C:\Users\Gordon\AppData\Local\Temp\ehmsas.txt not found!
    File C:\Users\Gordon\AppData\Local\Temp\etilqs_J6u9bSPWS9c6RRfMF9Dg not found!
    File C:\Users\Gordon\AppData\Local\Temp\etilqs_omdXRqqflM6zmyKgfDQG not found!

    Registry entries deleted on Reboot...
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    By the way, if you paste in a log, you don't need to include it as an attachment also- and vice versa.

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    c:\users\Gordon\AppData\Local\ujniyuadn
    
    DDS::
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    uRun: [ares] "c:\program files\ares\ares.exe" -h
    
    Registry::
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ========================================
    LimeWire was installed in 2008. This is also a file sharing program. I see Ares was removed.
     
  7. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    Okay, I just did that in case the post was to cluttered to read. I will post the log as soon as I can.
    Yeah, I removed ares because I have never really used it. I didn't even realize limewire was still installed. I will uninstall that as well.
     
  8. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    Attached is the requested log.
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, one more bit if script. Please be sure that Norton is disabled before running it:

    Disable:
    AV:[ Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    SP: Norton Security Suite *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    
    Folder::
    c:\program files\LimeWire
    c:\program files\Vongo
    c:\program files\Common Files\muvee Technologies
    
    Registry::
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ======================================
    And to be sure there are no more bad entries:
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Paste both logs into next reply.

    After I review these, if the problems have been resolved, I'll have you remove the clenaing tools.
     
  10. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    Attached are the requested logs.

    By the way, the brilliant work you have done to help me is already showing results. For some reason, the right-click portion of my touch-pad was not working much at all, and then, after this last scan, it is working pretty much like normal. I am wondering if a virus caused it to not function, although that seems strange.
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    About the Touchpad: Go to the Control Panel> Mouse> Touchpad tab> Adjust settings to your comfort. I found it to be 'set and try'> Click on Apply when finished> OK.

    Question:
    Did you download the DivX bundle which includes numerous players, codecs, coders, etc. each of which has it's own uninstall.exe file? Looks like it was on 4/2/2010 and next entries are all on 5/29/2010. Have you tried to uninstall any parts of it?
     
  12. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    I think I was at a webpage that downloaded that file, since I told my computer to trust it, but if you think it should be uninstalled, I can do that.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you want the program or did it just download because you were on the page?
     
  14. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    I did want the program. I have had it before, because it seems a lot of sites that play videos sometimes use this program. But I made sure to research it before I allowed it to be installed.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, no problem. I was going to remove it for you if you didn't. These logs look good so now you canRemove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    ===============================
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Stay safe and let me know if you have any further questions.
     
  16. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    Okay. Thank you so much for your help.
    I do have one question. Since my logs are clean, is there any reason why Norton keeps finding risks when I do a scan? Is there a program that Norton may think is a risk? I did a scan and it says there were eight risks found and that they were cookies. Are any of the scanning programs making Norton think they are viruses?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It sounds like Norton is considering Tracking Cookie as 'risks.' You can make some changes that will prevent this:

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    ==================================
    Consider these programs for Extra Security
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    You can use all of the above. You might also want to check in the Norton program to see if there is an option to not check for Tracking Cookies.
     
  18. Sheena314

    Sheena314 TS Rookie Topic Starter Posts: 48

    Okay. Thank you so much for your help.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...