TechSpot

Infected WinXP

By highblur
Nov 15, 2008
Topic Status:
Not open for further replies.
  1. Windows XP ~ downloaded trojan/virus and need help removing the detrimental software. What would you like me to do (hijack this etc). A week ago I made the mistake of downloading something from Dailykeys.com. Anyways, my avg, threatfire and other virus programs have begun failing and iexplore.exe and other virus' have begun taking over. Thanks

    Todd
     
  2. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi highblur

    The TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Do all skip no step (do not install another virus scanner as you already have one).

    Most importantly update MalwareBytes and SuperAntiSptware!

    Before you scan with SuperAntiSpyWare do the below:

    SuperAntispyware config

    After installed double-click the icon on your desktop to run it.

    It asks to update the program definitions, click Yes.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure the following are checked:
    1. Close browsers before scanning
    2. Scan for tracking cookies
    3. Terminate memory threats before quarantining.
    4. Leave the others as they are.

    In MalwareBytes after update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and post their logs then a new HJT log.

    Do this correctly and we will make a short job of this!

    NOTE: If it lets you install but not update or run STOP and get back to me!

    Mike
     
  3. highblur

    highblur TS Rookie Topic Starter

    Step 1: (Took all night, will continue through each step)

    Attached are my AVG and Ad-Aware results~

    Will continue with Step 2 after CC Cleaner (x2)
     
  4. mflynn

    mflynn TS Rookie Posts: 2,793

    Good morning highblur

    OK good!

    Continue with the 8 steps.

    I know this is a drudge but at some point it will break loose and be somewhat faster.

    One thing I noticed is that your Adaware is way out of date it went from SE to 2007 to now 2008 but it is better than nothing.

    The 8 steps are most important now get thu them post a HJT log first then the mbam and sas with logs.

    I run thu these and things should improve.

    keep up the good work.

    Mike
     
  5. NunjaBusiness

    NunjaBusiness TS Rookie Posts: 49

    "8 Steps" missing a couple of important ones!

    I am really surprised that the oft-quoted "8-step Viruses/Spyware/Malware Preliminary Removal Instructions" do not include two of the most important steps of all when diagnosing/fixing/cleaning any system:

    1. Disable System Restore. (XP and beyond)
    2. Back up your system. Or better yet, have automatic backups on an external drive and/or offsite that you have verified.

    Then the other steps can be followed.
    Let me explain why these two other steps are critical.

    1. System Restore - Many malware products use the system restore feature to their advantage and that is EXACTLY how they keep coming back time after time, even after you remove them. The system restore function can be used by these malevolent processes to reinstantiate themselves every single time you reboot.

    2. Backup - This should go without saying, but sadly a tiny percentage of users EVER back up their system and very few of them do it regularly or completely (verifying the ability to restore those files). A good backup will allow you to recover from absolutely any malady that befalls you and if you do incremental backups you can pretty much "go back in time" to a point before the affliction occured.

    Hard drives (external too) are just too cheap right now - and too many free or really low-cost automatic offsite backup services are available (for critical data) to not have SOMETHING in place to allow you to recover. The local (external or other drive) backup will be adequate in most cases, but if you are robbed or suffer a natural disaster - the offsite backup is the only one that will save you.

    I prefer a combination of periodic full disk imaging and an automatic offsite incremental backup service. If you already have an extra hard disk (external USB or e-SATA preferred) you can do it for free using DriveImage XML and Mozy's free 2GB service.

    I am an IT veteran (30 years) and work in the data protection/security field so I do know more than a little about the subject.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    Disabling System Restore is burning a bridge behind you.

    Should only be done last after clean. Even a bad restore point is better than no restore point at all.

    The backups I absolutely agree! And DriveImageXml is a great product!


    Mike
     
  7. NunjaBusiness

    NunjaBusiness TS Rookie Posts: 49

    That is exactly why the backup is so critical. You do not want to recross a "bridge" that still has trolls under it.;)

    The restore points are created automatically and can absolutely still contain the malware in question, so you must insure no restore points are present or newly created UNTIL after you have removed the offender(s).

    There are an increasing number of viruses/trojans that get saved into your system restore files and can not be removed without disabling System Restore first.

    Please read this MS Knowledgebase Article to understand why.

    You will also find that many of the major players in the AV and security industries recommend this as one of the first steps in malware removal.

    System restore is a very good thing, especially in Vista and beyond where it uses Volume Shadow Services to save more and better copies of everything than before. That is why you should of course, turn it back on after cleaning and manually create a new restore point.
     
  8. highblur

    highblur TS Rookie Topic Starter

    Here are the HJT, Malwarebytes and SuperAnti logs:

    Thanks for all your help
     
  9. mflynn

    mflynn TS Rookie Posts: 2,793

    Hello highblur

    Sorry I missed your reply somehow.

    MBAM and SAS need be ran again until they come up clean. The No action taken in the SAS log means you forgot or for some reason did not click ok to clean. We need both of these to come up clean.

    OK you have done great we can whip this thing now. After the above is finished do the below.

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    Mike
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    NunjaBusiness, FYI: Restore points are kept until the system is cleaned. Then they are removed. Most of us who help with the logs caution the users NOT to use System Restore while cleaning.

    However, if you look at the logs, you CAN see a reference to malware in System Volume. This is the restore points. The program will flag entries but complete removal comes later.

    As for backing up: No, I wouldn't advise backing up with a malware infection- I would think that if you seriously consider this, the reason will be evident. However, keeping backups on a regular basis is recommended, just not purposefully when there is malware.

    I understand that you are coming from 30 years of IT experience. I'm sure you were of help to many. Just understand what is done with an individual computer may vary from what is done to an office full of systems. Server issues are different. Security programs setups are different.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.