TechSpot

PC novice requiring assistance and clarification

By morgie
Jun 9, 2008
  1. Background

    AVG originally advised that I had a Trojan Horse Downloader in
    c:\system volume information\_restore (relating to A0036834.exe)

    2 days later was advised that have Trojan Horse Patched_c.PO in
    c:\system volume information\_restore (relating to A0044006.dll)

    Issues
    On both those occasions these items were moved to the virus vault and rescanning with AVG this items did not come up, so being the novice that I am, thought that this was fine.

    However, in the processing of trying to gain knowledge and understanding and determine whether my system was okay, I came across Dr Web.
    It's scanning revealed that there were other items in
    c:\system volume information\_restore (relating to A0038461.reg, A0043448.reg, A0044153.reg, A0046316.exe, A0046320.exe). The first 3 items items have been deleted and the last to moved.

    In addition to that I am getting tracking cookies reported all the time for 112.2o7, bs.serving-sys, msnportal.112.2o7, overture and serving-sys.

    1. Can someone please explain to me, when items are quarantined rather than deleted, can they be reactivated? I am assuming that the infection is still on your system but moved out of the mainstream files (thereby alluding detection)

    2. I have been running SpyBot, SuperAntiSpyware, Malwarebytes etc all at different stages and keep coming up with these tracking cookies.
    Are any of them harmful ?

    3. I read that I need to turn off system restore, do all the scans and cleans for the c:\system volume information\_restore infection. Is that correct ?

    4. I have now downloaded all the tools detailed in the
    Viruses/Spyware/Malware thread,
    Tool2 - VirtumundoBeGone - has no instructions that I can see. Can someone tell me what I need to do
    Tool3 - VundoFix - site says that it has issues with Asia versions of Windows (I am in Australia). Is this step critical?

    5. Do these tools have to run from the desktop ?

    I read that Combofix must be - is it the same for the others.

    I am a novice, trying to learn, so please be patient.

    Any advice on what I need to do to get a clean system would be appreciated.

    Thanks for reading the post :)
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    all of those infections are listed in old restore points set on your system. So, lets just clear any old restore points and set a new one now.

    Then just attach a Hijackthis log for us.

    ---------------------------------------------

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.

    -----------------------------------------------------------------------------------

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
     
  3. morgie

    morgie TS Rookie Topic Starter

    Blind Dragon

    Thanks for your quick response and instructions. Appreciate it :)

    Bit confused on how to attach the HJT log though. When you click on the paperclip, it asks for a URL link. Do you just key in the details on where it sits on the hard drive
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    above upload file from url is a box that says "upload file from your computer" next to this click browse, then navigate to the file
     
  5. morgie

    morgie TS Rookie Topic Starter

    HJT file

    OIC - thank you.:)

    I was in quick reply rather that reply to thread - hence my confusion.:confused:

    I now clearly see where the attach file is, and have attached for your pursual.

    Many thanks for your time and effort:)
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I don't see too much on there. Just a few things to do. I also think your security looks pretty good, I would add Winpatrol from by signature to control startups and monitor changes to these registry keys. Its free and you won't hardly notice it is installed except for the scotty dog in the tray. You can right click it and select startup info... to disable programs from lauching every time you boot your comptuer.


    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder


    ------------------------------------------------

    Remove leftover Norton
    Remove Norton as you have AVG -> Norton Removal Tool

    ------------------------------------------------

    Launch Hijackthis -> Scan only -> fix the following entry
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    by checking the entry and select fix checked

    -------------------------------------------------

    Let's run an online scan just to be sure:
    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  7. morgie

    morgie TS Rookie Topic Starter

    Kasperskey report

    Thanks again :)

    Have carried out your instructions, I hope! Bit nerve racking when you don't know what you are doing.

    Had a bit of trouble updating the Java Runtime Environment and eventually downloaded the update after I searched for the version that I was running and the site selected the correct download for me.

    The items appearing in the report appear to be those that have been moved or quarantined when I have run Dr Web.

    This morning's daily AVG run also revealed Adware. I primarily use Firefox, but will open IE when required. Adware in the report includes Adware.Generic, Isearch, TitanShield, NewDotNet.

    Thanks for you time :)
     
  8. morgie

    morgie TS Rookie Topic Starter

    Kaspersky report

    Hoping it's attached this time.

    Just another issue. My computer has started to turn itself off on occasion. Has previously happened twice before today and twice today (once while I was running Kapersky). No idea whether this impacts anything or not.

    Thanks again for your time :)
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Yea you should just be able to clear quarantine. Like I said I don't see much in the way of infections in your logs.

    Make sure SUPERantispyware is up to date and I would run a full scan with that to be safe, but honestly your logs look good.
     
  10. morgie

    morgie TS Rookie Topic Starter

    Adware

    Will do and have been doing since I found this site

    I guess that I am still concerned about the Adware. Can you tell me whether they are "regular" items ie: a fact of internet life. I understand that tracking cookies are, but am concerned about specific ones like Titanshield

    Thanks again for your time:)
     
  11. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    just noticed your posts so taking the liberty to jump into the thread


    Tracking cookies are just an internet way of life. You can't help but pick some up just from surfing the net and visiting websites

    Since you use FF, you might find it interesting to see and control the websites putting cookies (of any type) on your computer. in Firefox, under Tools->Options->Privacy set Keep Until to "Ask Every Time".

    Then each time a site wants to set a cookie, FF will ask you if to Allow, Allow for Session or Deny. (You'd be surprised how many cookies some sites try to set!)

    Answering Allow for Session is convenient because FF will delete the cookie for you when you close Firefox.

    Would recommend you also look at how FF builds its Exception list based on your answers (click Exceptions button which appears near the Keep Until option)

    From time-to-time you'll decide to modify an entry in the Exceptions list. One reason: hitting Deny and then finding a web site doesn;t work e.g. logging into some sites. The cookie you denied may be required for that site to work. If you care to use the site, you need modify the exception (perhaps to Allow for Session) so you can try again.

    Finally from what i've seen TitanShield is much more then just a tracking cookie. It's spyware in the form of code that runs on your computer.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Your anti-malware problems appear to be doing their job and catching the infections though. Better safe than sorry let's run a scan for Titansheild

    • Download Smitfraudfix by S!ri from HERE
    • Double-click SmitfraudFix.exe
    • Select 1 and hit Enter to delete infected files.
    • The report can be found at the root of the system drive, usually at C:\rapport.txt

    These are the Hijackthis entries which we can look back to your original log to see if there:
    O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
    O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
    O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
    O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\System32\adobepnl.dll
    O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
    O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
    O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
    O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
    O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
    O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
    O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe
    O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe
    O4 - Startup: titanshield.lnk = C:\Program Files\TitanShield Antispyware\titanshield.exe
     
  13. morgie

    morgie TS Rookie Topic Starter

    Sigh...I thought that things were going so well and then at the start of this week, AVG advised of a Trojan.Generic - once again.

    I had been running Malwarebytes ,SuperAntiSpyware and AVG and Winpatrol.

    I had trouble running Dr Web, but a Trojan had attached itself to a Zone Alarm Set Up File that I had saved on my c drive, which Dr Web quarantined before my PC turned itself on.

    After many attempts at Dr Web, I finally got a report long ago (attached) which indicates that there is a backdoor trojan attached to my Malwarebytes program, in created system restore points and I have no idea on what the c:\RECYCLE\S file is

    Help please

    Thanks again for you great help.
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I wonder if your best on creating a new thread
    Blind Dragon should advise on this or not (as I'm unsure)
     
  15. morgie

    morgie TS Rookie Topic Starter

    Ok will wait and see what Blind Dragon advises. To me its probably part of the same problem given that system restore is impacted again
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Clear system restore points

    • Clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
     
  17. morgie

    morgie TS Rookie Topic Starter

    Hijack log is attached.

    I haven't cleared the system restore points again as yet - is this the first step?

    Do I just uninstall, the malwarebytes program and reinstall it via a new download ?
     
  18. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Damn, I wish I was there in sunny Qld (ie your home page I think)
    Please wait for Blind Dragon to confirm what to do.

    I'm signing off now
     
  19. morgie

    morgie TS Rookie Topic Starter

    I just tried to run Dr Web again and once again PC turn itself off (which is the usual thing now). On reboot I noticed that it said overclocking failed. No idea, why, as I wouldn't know what to do one way or the other. I have tried to run Dr Web about 15 times now and I have only had once successful run, before my PC turns itself off.

    Have another question before clearing restore points.

    Windows SP3 has downloaded to my PC (did not check it for the download to proceed, but it has). I have not installed it. Is there anyway to back out the download.

    Frustrated and feeling overwhelmed.

    I
     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You will be given many user questions during the install
    One being to create a new System Restore point

    It is advised to have a clean system before installing SP3 - so maybe just don't do it yet (ie it won't auto-install)

    Not sure what's happened to Blind Dragon
    But all support members do this for free (including me!)
     
  21. morgie

    morgie TS Rookie Topic Starter

    Thanks for replying kimsland. Believe me, I recognise your efforts and appreciate your help :)
     
  22. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I had another read of the HJT log and cannot see any stand out issues (Note: I am no expert at analyzing HJT logs)

    Anyway, I saw that you had OmniPage among others, starting up.

    I wonder if you could download and run Startup Control Panel, and untick all the startups on all the tabs (including AntiVirus and Firewall)

    Note: This is reversable (via reticking the boxes required to start with Windows)

    Anyway, restart once all is unchecked to see if the restart happens again.
    I believe the fault may be related to one of your programs starting, but also aware that you had Virus/Trojans on your system.
     
  23. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    1. I looked through your last HJT and concur with kimsland's assessment. Don't see anything nasty. A couple minor comments
      • To assure a thorough HJT scan is best to rename the HJT executable to something else as some malware looks specifically for hijackthis.exe and hides from it
      • You're running Java Update 6 and Update 7 has been released. You can look back to early June for a post in your thread on how to update. Check Control Panel -> Java -> Update that you're set for Java periodic autoupdates and your firewall is allowing them as well - unless you've intentionally set it for manual updates, of course.
      • When you run HJT again you can check the box for O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) to have HJT fix (i.e. remove) it as it's an old empty still lying around
    2. You might try looking in Windows Event Logs to see if any clues / interesting footprints left behind as to why your system is shutting down. This tool makes it even easier to manage and filter through those log files
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You never followed my instructions and never attached rapport.txt
     
  25. morgie

    morgie TS Rookie Topic Starter

    Blind Dragon, you usually get an email to say that there is a new post in the thread. If I had received that email I would have definitely done as instructed, as I very security conscious and appreciate the time and effort everyone at this site gives to help those who simply don't have the knowledge. It is appreciated so much. Thank you.

    Because too many weird things had been happening, (the last straw was the complete font change throughout my system), I got some help and have reformatted the hard drive to start afresh (hoping anyway).

    Thanks for kimsland and LookinAround for their help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...