TechSpot

I believe I've been infected with the "TrojanDownloader.XS" virus

By ahnadahodo
Apr 12, 2008
  1. Hello,

    I've been reading some of these posts about the "TrojanDownloader.XS" virus and it sounds like I may be infected as many others are.

    I have a lot of the same symptoms as others, i.e. yellow warning triangle in the taskbar (complete with various warning pop-ups), wallpaper has changed to large warning screen that is un-changeable, etc.

    As I understand the way to go about getting help from all you fine folks here, I am starting my own thread to ask for help.

    I have read about running "hijackthis" but have never actually done this...until now, so please bear with me in your attempts to help me out of this predicament.

    I am attaching the "hijackthis log" with the hopes that this will be enough to get us started.

    Thanks in advance for any help you can offer me,

    ahnadahodo
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Have you also lost task manager (ctrl+alt+del)


    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo
    Kerio
    Online Armor
    Zonealarm


    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  3. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Thanks, Blind Dragon, for your reply to my plea for help.

    As added information, I just want to let you know that the machine that is infected has 3 user accounts on it, does that matter or will these fixes be fixes "across the board"?

    Also, at machine start-up, there is/was an error message that says:

    Error loading C:\WINDOWS\system32\lpymplvy.dll
    The specified module could not be found


    Do you think this has anything to do with this virus?

    Between the time I posted my "cry for help" and the time I recieved your reply, the machine that is infected had lost it's ability to connect to the internet...until after I installed "Online Armor"...coincidence or not? It seems to be connecting okay now, as far as I can tell.

    On a slight side note, I've been battling random loss of internet connectivity, not just with one machine but with all machines within my household, do you think that could be related to this virus issue or would that be more a modem issue? I'm using a hardwired Linksys modem and router, as opposed to wireless.

    Anyway here's what I've done so far:

    1) As far as I can tell, the task manager is working okay;

    2) I downloaded and installed "Online Armor"...There were some things in the set-up that I wasn't prepared to deal with, i.e. allowing or blocking processes that I had no idea what they were or what to do with them;

    3) I downloaded, installed, and ran Malwarebytes' Anti-Malware;

    4) I downloaded, installed, and ran Combofix.

    I'm attaching the logs that were generated with each of the above programs, along with an updated hijackthis log, for your review.

    Also, while I was running the above programs, Online Armor kept prompting me to allow/block processes. I just allowed everything because I didn't know any better, I hope that was okay. I was especially concerned with this while running Combofix due to the warning about not touching the mouse\keyboard during the scan. I hope all the scans turned out okay.

    I await further instructions, let me know if you need anything more from me.

    As always, thank you for your help.

    ahnadahodo
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    This is possibly whose hijacking you, unless your ISP is in Russia:
    PeterHost.Ru
    Alexander Chernov
    Prof. Popova str. 37 B
    197376 Saint-Petersburg
    RUSSIAN FEDERATION

    phone: +78123477743
    fax-no: +78123341222
    -----------------------------------------------------------------------------------------------

    : Download and Run FixWarout
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.

    Now lets check some settings on your system.
    (2000/XP) Only
    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable on some systems

    attach the logfile C:\fixwareout\report.txt
    ------------------------------------------------------------------------------------------------------


    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  5. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Okay Blind Dragon,

    I can't seem to get past Step 1 of your last post.

    When I run "FixWareout" everything seems to run pretty smoothly...except that I can't find any logfile named C:\fixwareout\report.txt after my PC reboots.

    Am I doing something wrong?

    Also, when I'm running the program, and others, "Online Armor" keeps popping up these windows asking me to allow/block, is that okay?

    I'm reluctant to move on to Step 2 (CFScript) until the "FixWareout" log is created.

    What should I do?

    Oh, also, whenever my PC boots up (after the desktop shows up) I have this window pop up that talks about not being able to open a certain file. The file is dwdsrngt.exe.vir. It asks if I want windows to use the web to find the appropriate program. What should I do about this?

    Thanks,

    ahnadahodo
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    That file was removed from your computer but the registry entry is still telling it to load, just live with for now until we can remove the registry entry. Don't let windows try and find a program, this will be gone soon

    Do you have a folder on your desktop called Fixwareout, if so open it and find report.txt this is what I need.

    You can go ahead and do CFScript regardless
     
  7. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    There's no FixWareout "folder" on my desktop...just the executable file.

    The only report.txt file I can find is located at: C:\fixwareout\FindT\report.txt

    I'm attaching that one to this post to see if that's what you need.

    I'm also attaching the other logs you asked for: Combofix.txt & hijackthis.txt.

    As always, Thank you,

    ahnadahodo
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Please run a Full Scan with MBAM again, there is still something there that I know it removes.

    Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
    I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
    1. Click Start, point to Settings, and then click Control Panel.
    2. In Control Panel, double-click Add or Remove Programs.
    3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.

      How to prevent it from being recreated every time you run the AOL software:
      • Open AOL
      • Go to Help on the toolbar
      • Select About AOL
      • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
    -----------------------------------------------------------------------------------------------


    ***print out or copy and paste into notepad and then save to your desktop so that you can see in safe mode***
    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
    O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\pwinpmdn.exe CHD003
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Hyperlinks Rotator or ISMonitor
    Internet Speed Monitor


    Please note any other programs that you don't recognize in that list in your next response.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

    C:\Program Files\QdrModule
    C:\Program Files\QdrPack


    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

    C:\WINDOWS\system32\pwinpmdn.exe

    After that, Reboot, and post a new HijackThis log here in a reply

    -------------------------------------------------------------------------------------------------

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  9. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    Pardon my ignorance, but I'm having a little trouble following your last posted instructions.

    1) I re-ran MBAM and it found 1 infected file, which I had it remove. I'm attaching that log with this post. During the scan, AVG kept popping up windows about "THREAT DETECTED". I didn't know how to handle them so I just let AVG "HEAL" them by default, I hope that was okay.

    2) Re: Viewpoint Manager--
    a) I went into Add/Remove Programs and didn't see anything about Viewpoint Manager in the list of programs available.​

    b) As far as I can tell, I don't have AOL installed on this PC. The closest thing I can see is AIM and when I followed your instructions regarding how to disable it, I got no secret panel as you described.​

    3) From here it gets really tough to follow your instructions...so here's what I did...I ran hijackthis as you posted. After running hijackthis, you tell me to "Check the boxes next to all the entries listed below." but I don't see any entries listed in your post. Except "HJT Entries go here" and I didn't see anything like that in the list. I'm also attaching the most recent hijackthis log with this post.

    I didn't know if I should continue on with the remainder of your instructions because I know sometimes there's a certain order that things should be done, so this is where I stopped.

    Let me know if I just mis-read the instructions or there really was something missing.

    As a status report...the PC is behaving better and able to connect to the internet much better now. Also, the modem hasn't been losing it's internet connection like it was before, I suspect the virus had something to do with that problem as well.

    Thank you very much for all of your help and patience,

    ahnadahodo
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Sorry about that, as you can imagine your eyes can get tired after reading logs all day. I am in fact still very tired and will be spending some time away from the computer this weekend.

    I edited the above post but will just post a fresh set of instructions here, hopefully easier to follow.


    Fix using Hijackthis
    ***print out or copy and paste into notepad and then save to your desktop so that you can see in safe mode***
    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
    O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\pwinpmdn.exe CHD003
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Hyperlinks Rotator or ISMonitor
    Internet Speed Monitor


    Please note any other programs that you don't recognize in that list in your next response.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

    C:\Program Files\QdrModule
    C:\Program Files\QdrPack


    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

    C:\WINDOWS\system32\pwinpmdn.exe

    After that, Reboot, and post a new HijackThis log here in a reply

    -------------------------------------------------------------------------------------------------

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  11. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    Thanks for all your help. I understand about looking at something for so long that your eyes go cross-eyed.

    Your last set of instructions were much easier to understand. :)

    ---Fix using Hijackthis---

    I followed your instructions and fixed the indicated entries, most recent hijackthis log is attached.

    When I re-booted into safe mode, I noticed that there was a text document on the desktop named "error.txt". Just in case it has some important info in it, I'm also attaching that here for your review.

    Regarding:
    Hyperlinks Rotator or ISMonitor
    Internet Speed Monitor


    These were not present in the add/remove programs area.

    There was one program in there that I'm not sure what it is, it's called Python 2.2.3.

    Is this program important and should I keep or remove it?

    Regarding:
    C:\Program Files\QdrModule
    C:\Program Files\QdrPack


    and

    C:\WINDOWS\system32\pwinpmdn.exe

    None of these were in Windows Explorer.

    However, I did see 2 files in C:\WINDOWS\system32\ that resembled C:\WINDOWS\system32\pwinpmdn.exe.

    File number 1 was C:\WINDOWS\system32\pwinpmds.exe

    File number 2 was C:\WINDOWS\system32\pwinpmdt.exe

    The difference is the last letter before the .exe, are these good/bad?

    ---Run Kaspersky Online AV Scanner---

    I ran this scan and the log is attached with this post.

    When I was running Kaspersky, AVG kept popping up windows about "Threat Detected", is this a good thing or a bad thing? Should AVG be disabled during this whole process?

    Again, your help is GREATLY APPRECIATED,

    ahnadahodo
     
     
  12. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    You haven't responded to my last post from 1½ weeks ago, have you forgotten about me? :)

    As you can read in my post from 4/19/2008, I've completed your last instructions and posted the requested logs.

    I'm not sure where my system is, as far as being "repaired", could you review the logs and let me know if I need to do anything else to complete the "cleansing" of my system?

    As always, I'm VERY GRATEFUL for all that you've done to help me with this situation.

    I look forward to hearing from you,

    ahnadahodo
     
  13. ahal

    ahal TS Rookie Posts: 70

    Hmmm

    Hmm ....

    Thought the name rang a bell. Googled it and it turned up a professor of Physics in Moscow State University - didn't check the details, but I'd say the tel / fax number match, so obviously the smart*** who coded it has a 'sense of humour'.

    Not much help perhaps, thought I'd mention.

    Regards,

    Anthony.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Sorry about that, it doesn't happen often but I did overlook your last post

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  15. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    Okay, so I followed your last set of instructions and now I'm really worried that I may have lost some personal files, photos, etc.

    Here's why...when I dragged the CFScript.txt into the ComboFix.exe, as you said to do, ComboFix started running. As this was happening, Online Armor was asking me to allow/deny certain actions. One of the programs it asked about was "catchme.sys" this sounds suspicious to me, should I have allowed this process to run? ComboFix spent about 1½ hours deleting files from my secondary "F" drive, many of which were digital photos. I worry that maybe this process is what caused all these files/photos to be deleted.

    Why were all these files/photos deleted?

    Was this the intended results?

    Have I lost these files permanantly?

    Also, now my Windows clock reads in military time and has the date formatted as yyyy-mm-dd, is this normal? it didn't used to be this way? why didn't it go back to the way it was originally?

    I'm attaching the requested log files for your review.

    Thanks again,

    ahnadahodo
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Not necessarily. But, it appears that there are a lot of infections in this folder:

    F:\Transferred files2\Daddy's files July 16 06

    It was my intent to remove this folder because it appeared to have some infected email attachments ect. stored there.

    Attach C:\Qoobox folder here for me
     
  17. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    Okay, you're the pro. :)

    Is there any way to remove the bad/infected files and leave the good/uninfected files alone?

    All right, I can't figure out how to upload the folder C:\Qoobox. When I browse to the folder it never loads into the "File Name" box. It will let me load individual files that are inside the folder, but not the whole folder at once.

    Can you either tell me how to upload the whole folder or are there specific files that you need to look at that I can attach here?

    Thanks,
    ahnadahodo
     
  18. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    It's certainly not my intent to be a pest, but have you overlooked me again?

    You haven't responded to my post of 5-1-2008, and I kind of feel like I'm stuck in limbo here.

    Could you read my last post and let me know what I need to do next?

    Thanks so much,
    ahnadahodo
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    You should keep pictures in a separate folder in the future from downloaded content.

    Sorry, I was trying to find a way to restore those files without restoring the infected files. To be honest I can't come up with a good way to do it. It's going to be quite a bit of work no matter how we do it.

    Using windows explorer
    Look in C:\Qoobox

    Can you see your pictures in here.

    If so, create a new folder on your desktop and drag the pictures into the new folder.

    Let me know what happens
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I think I have a solution for you to restore the pictures, then we can just start over removing individual infections.

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word DeQuarantine:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
     
  21. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    Please accept my sincere apologies for having not responded recently. I've had some family issues arise and haven't had time to continue with our processes.

    First I want to ask about your comment concerning storing photos in a separate folder as downloaded content...this confuses me, as the folder that we deleted contained several individual folders, one of which was a "digital photos" folder that contained the majority of the photos in question. Was this the correct way to separate the photos from other files or is there a different/better way to handle this?

    Secondly, and perhaps more importantly, we don't have to worry about trying to restore the deleted photos, I've recently discovered a backup folder that contains those same photo files.

    I noticed that you've discovered a potential way to "restore" the quarantined files, I hope you didn't go to painful lengths to work on this, that would really make me feel bad.

    Just a little FYI, when I do as you asked and go to C:\Qoobox in windows explorer, I do see the photos in that file. I don't know if that folder has everything that was deleted or not, or all of the photos, but there are a lot of them there. They appear to have the original file names with the exception of an added extention at the end (.vir).

    Do you want me to go ahead and run through the rest of your suggestion, maybe just to see how it works, or is it not worth messing with at this point? Let me know how you want to proceed from this point.

    I want you to know that I really do appreciate all of your help and I apologize again for taking so long to get back to you.

    Thanks,
    ahnadahodo
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    if you can restore the photos from a previous backup that would be best. If not, then dequarantine them and we can go from there.


    I would like you to post a fresh Hijackthis log

    Also how has you computer been running since running those tools previously
     
  23. ahnadahodo

    ahnadahodo TS Rookie Topic Starter Posts: 56

    Blind Dragon,

    Thanks for your reply.

    Yes, I have backup copies of the photos, so no worries.

    My son is the one that mostly uses the infected PC and he says it seems to be running okay. I know we still get an occasional "Threat Detected" from AVG but I'm not sure what they are or what to do with them.

    I'm attaching the latest Hijackthis log, as you've requested.

    By the way, do I need to keep any of the previous Hijackthis logs? Or should I get rid of them?

    Thanks,

    ahnadahodo
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I would uninstall AVG 7.5 and either upgrade to AVG 8.0 or get Avira Antivir

    I would also keep Malwarebytes antimalware and scan occasionally with that.

    I would also get Winpatrol and make sure you clean out your temporary files with ATF cleaner.

    ---------------------------------------------

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------

    OTCleanit! by Oldtimer
    • Download OTCleanIt
    • Click the CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

    ---------------------------------------------------------------------------

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.


    7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.