TechSpot

Help with viruses - 8 steps complete

By wbegonis
Apr 7, 2009
  1. Hello all, I am working on my son's pc that didn't have an antivirus for a while and he had several trojans and spy-ware files. I have since loaded Norton on his pc and have done all of the 8 steps you recommended. The pc is still running terribly slow and seems to still be off a bit. Can you please look at my log attached logs and tell me what else I might need to do?

    I also want to thank all of you for the wonderful work you do! Your awesome and I appreciate all of your help!
     

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Both MBAM and SAS had found items and could find more so UPDATE both and run both again. Quick scans. Post logs.

    Norton is one of the best ways I know to slow bog down a computer.

    Mike
     
  3. wbegonis

    wbegonis TS Rookie Topic Starter

    updates logs

    Hello Mike, I have re-scanned with MBAM and SAS with the update and it found nothing. Here are the attached logs. I know Norton can slow down a pc a bit but I have it on several pc's here an it doesn't slow it down as bad as this one which had the viruses and trojans. Thanks for your help
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please disable Real Time Monitoring per Step 3:

    AD-AWARE AD-WATCH
    Didn't anyone realize that the first set of logs actually has 2 SAS logs. the log named mbam was SAS!

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):
    Run LSP Fix:
    5. Run Hijackthis and the entry for NWPROVAU.DLL should now be gone from the list.
     
  5. wbegonis

    wbegonis TS Rookie Topic Starter

    new scans

    Thanks Bobbye for helping. I have done all of what you requested. I have rescanned and I am attaching the new files. Sorry about attaching the wrong files in the first post.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK run HJT Scan Only select and Fix the below.
    O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

    Then do the below..

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good! That cleared out some unwanted entries!

    But at the risk of sounding pushy, I remind you once again of this:
    From Virus and Malware Removal Prelims: http://www.techspot.com/vb/topic58138.html
    Step 3
    Temporarily Disable Real Time Monitoring Programs

    Did you son ever have AVG on the system? The pesky entry below is a 'let'over' Registry entry from AVG:
    O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
    {A057A204-BACC-4D26-9990-79A187E2698E}> AVG

    You might have to search the system, including 'show hidden files and folders' and look for and delete any AVG entries.

    Party Poker is going to leave malware on the system:
    O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing) (HKCU)

    Mike, instruct on Adobe Update or or FoxIt Alternate. Version on system now is Acrobat 6.0
     
  8. wbegonis

    wbegonis TS Rookie Topic Starter

    Hey Bobbye, I am sorry about the real time monitoring, I do disable it before doing the scans but I have rebooted right before doing the logs (duh) and it re-enables. I am sorry about that I will keep a better eye on it. As for AVG yes he has had that on before. I will search and delete any thing found left over. Should I delete the 03 toolbar and the party poker from hjt? Also I will update Acrobat and get back to you. Thanks again

    Thanks wonderful people for helping. I have updated Adobe, done the combo fix, gottten rid of the 03 toolbar and deleted everything that had to do with AVG. AND I made sure this time I didn't reboot so realtime scanning is still shut down.
     
  9. mflynn

    mflynn TS Rookie Posts: 2,655

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    OK on AdWatch, but is should not come back on if you follow the steps to disable.

    Sounds like you're coming along fine. He may go back to the Party Poker site, but encourage him to stay away. These gaming sites, Party Poker in particular, are notorious for the trash the put on a system,

    Regarding the Adobe Reader: Most of us think that it is the only PDF reader in town- for a while early on, it probably was. But it comes with a huge amount of bloat. This takes up hard drive space and uses a lot of resources when it's running. The alternate which many of us have gone to it FoxIt which Mike recommended.

    IT is free, it does the same thing as the Adobe Reader and it comes without bloat. Give it try sometime. If using it, you can go to Add/Remove Programs and remove the Adobe Reader and it's bloat files.

    IF you go to the FoxIt site, make sure you click on "Free Download" NOT "Get It Free." The first is the free reader which is all you need and the second is a paid reader plus other utilities and apps you DON'T need.

    Be sure to UPDATE ComboFix before scanning again.

    Happy computing!
     
  11. wbegonis

    wbegonis TS Rookie Topic Starter

    updates logs

    I have done the avg fix and the kapersky download...although it looked as if nothing happened. I have uninstalled acrobat and installed foxit and had the dreaded talk with him about the poker site. Hopefully we are getting close. Here are the updated logs. Thanks again for all of your help.
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    You did a great job!

    Do the below and we are finished!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------
    ERUNT
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    ERUNT http://www.larshederer.homepage.t-online.de/erunt/
    Yes! Even if you use system restore and other backups Registry and Images.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is all FYI! Use it or lose it. You should draw a bargain with you son that if he doesn't surf safely, you won't clean up his machine!

    The Ask Bar has found you- again! Something everyone needs to be aware of and look for: many software makes are pre-checking something- usually a Toolbar, on their update sites. You can see this here: Sneaky, sneaky!
    The above is from the ComboFix report. It's not malware, but it clearly shows hat Ask Bar came when you downloaded Foxit! We usually tell people to remove the AskBar as it is very "ad" loaded.

    The interesting thing is that the AskBar is already loading from the Registry! Note the date:
    The bad news is that it looks like he has Limewire stashed!
    "c:\\Documents and Settings\\PJ\\My Documents\\My Music\\iTunes\\LimeWire\\LimeWire.exe"= This is a file sharing program. From kritius:
    If you want to remove AskBar, check the following entries and let HijackThis remove them. When through, boot into Safe Mode, use msconfig to take AskBar off of Startup, then uninstall is in Add/Remove Programs in the Control Panel. (Ignore nag message when you reboot, check 'don't show again..' and close,
    Party Poker:
    Have HijackThis remove this button:
    About Party Poker:
    The program is a privacy and possible security risk, and I recommend you optionally uninstall it. If you chose to do so, go to Start > Control Panel > Add or Remove Programs and remove the following program:
    PartyPoker

    Then, using Windows Explorer, delete it's program folder at:
    C:\Program Files\PartyGaming


    You may want to stop this from running in the background: Check for HJ to remove, then:
    Open IE> Tools> Manage Add-on> find the Panda entry> highlight Disable.
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

    Mike will handle the important 'stuff'!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...