TechSpot

Just want to be sure my PC's not infected anymore

By kaelzeph
Mar 13, 2009
  1. I was infected by the Win32/Heur virus/trojan and my Avira went nuts, all my .exe files were either removed or triggered virus alerts every second. I installed AVG and it too went nuts. I already did Combofix and the preliminary removal. Other than my .exe files going haywire, my printer drivers were also affected so I uninstalled them but now every time I open My Computer or any Explorer window, it tries to install drivers for my printer again. Any other things that I should do?
     

    Attached Files:

  2. rev_olie

    rev_olie TS Maniac Posts: 560

    Hi,
    That is one big malwarebytes log.
    You should re-scan with malwarebytes after updating to make sure.

    Reading you Hijackthis log i see you have Utorrent and limewire. I will not carry on until this is removed. You will most probably get re infected whiles a cleaning process is taking place if it is kept. You must uninstall and re run Hijackthis before most users will help you.

    Finally you have 2 antivirus AVG and Avira. It is not recommended to run both at the same time. You should remove AVG as this will speed up the system, decrease the chance of compatibility problems and Avira is the better of the two
     
  3. kaelzeph

    kaelzeph TS Rookie Topic Starter

    I've removed utorrent and limewire... but I've got some issues with uninstalling my avira. The .exe files for that one were all corrupted and somehow got deleted. I try to install a fresh avira but it still recognizes my old avira installation and when I try to uninstall it and it says "your system will now reboot," it doesn't...
     
  4. kritius

    kritius TS Guru Posts: 2,084

    [​IMG]Download and Run ComboFix

    • Download this file to your desktop from HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply

    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Adding some assistance:
    It appears that at some time you may have downloaded a program called Error Nuker. It is a rogue Registry cleaner. The exceptionally long Mbam log is due to entries found from that program:
    (Rogue.ErrorNuker)
    http://www.malwarebytes.org/malwarenet.php?name=Rogue.ErrorNuker
    A description from a-squared Anti-Malware
    I am uncertain as to the actual status of all the entries the Mbam log show as quarantined and deleted, but any 'left' over files from this program should be searched out and deleted. You should also check in Add/Remove Programs and UNINSTALL if there.

    Now let's get the multiple antivirus programs resolved:
    First HijackThis log:
    1. AVG:

    2. Avira: (installed over the top of AVG)
    Second HijackThis log:
    1. Avast:

    2. Avira:
    It appears that you thought Avast and Avira were the same program OR you just decided to add it to the soup! We need to get you down to ONE functioning, updates, corrected configured antivirus program. Sot his is what you need to do:
    Decide which of the programs you want to keep: , Avast or Avira. I have grouped all of the entries for each to make it easier for you.
    Once you have cleaned up the multiple AV programs, it is recommended that you update the AV you kept and run a full system scan. I saw a few other entries that should be removed, but I'll wait and see how they are handled for now.
     
  6. kaelzeph

    kaelzeph TS Rookie Topic Starter

    I think the ErrorNuker was the one causing the Heur infection. I got that when my cousin inserted her USB Flash drive into my PC. I didn't notice it because the icon for the flash drive was not of a folder and my anti-virus that time (Avira) did not recognize.

    I've done the instructions for the anti-virus I don't want. When I got to the part for uninstalling in the Add/Remove Programs, it said that Avira was already removed.

    Here are the recent logs for ComboFix and HijackThis.

    And there was one weird thing that happened when I booted into safe mode. There was another user called Administrator which shouldn't be there since my account is the admin account. And that account name does not appear in the Control Panel/User Accounts. It's also password protected.
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Go to add remove programs and unistall XoftSpySE.

    It was formerly listed as spyware and I would not recommend it.

    http://spywarewarrior.com/rogue_anti-spyware.htm


    To get an Uninstall List from HijackThis:

    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.
     
  8. kaelzeph

    kaelzeph TS Rookie Topic Starter

    XoftSpySE was another one of those programs that got removed somewhat so I couldn't find it in my Add/Remove Programs list

    Here's the Uninstall List from HJT.
     
  9. kritius

    kritius TS Guru Posts: 2,084

    COMBOFIX-Script



    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



      Code:
      Folder::
      C:\$AVG8.VAULT$
      c:\program files\XoftSpySE
      c:\program files\Kaspersky Lab
      c:\program files\Common Files\Kaspersky Lab
      c:\documents and settings\Antonio Navales\Application Data\uTorrent
      c:\documents and settings\Antonio Navales\Application Data\LimeWire
      c:\program files\Common Files\Symantec Shared
      
      
          

    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.



      [​IMG]


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
     
  10. kaelzeph

    kaelzeph TS Rookie Topic Starter

    Here's the latest ComboFix log. I've already uninstalled Avira and ESET NOD32 but ComboFix still detects them. Would there be anyway to remove them?
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    (Nice job by the way , cleaning up the 'extra' AV programs)

    FYI: The top section shows files created in the last 30 days,
    That's why you see 'Avira'.

    Where are you seeing Nod? Did you mean another AV program? Nod wasn't on you list of multiple AV programs.

    kritius, you might want to have him check these for possible removal and/or take off of Startup:

    And check to see if programs are still installed. I see Services show as unknown/file missing in HijackThis log in Vista, do to a bug reading the files. But it's unusual in windows XP. Services might need to be Disabled and stopped.
    --
     
  12. kaelzeph

    kaelzeph TS Rookie Topic Starter

    ESET NOD32 was my first anti-virus but it somehow stopped updating so I uninstalled it.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Then it wasn't in the last 30 days, I did not see it in ComboFix. You need to settle down, find one AV program, configure it and be sure it updates. Why are you changing the AV so much?

    I have Nod32- it's not a free program. It works very well and gives update notices without incident. Maybe your subscription to Nod wasn't current.
     
  14. kaelzeph

    kaelzeph TS Rookie Topic Starter

    The Nod32 expired so I changed to Avira but that too was wrecked by the virus and it sort of went downhill from there...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...