Please help. Not sure if I am free from malware.

By withnail
Oct 4, 2007
Topic Status:
Not open for further replies.
  1. Please help. Not sure if I am free from malware. (Logs included)

    I am normally protected by NOD32 and Windows Defender which are always running on my Vista machine. Yesterday NOD32 identified a possible virus and since then I have had a few problems.

    Initially I noticed that Firefox on occasion wasn't working and once or twice an IE pop up tried to load. I then realised that my Shut Down button had been removed as was access to both task manager and regedit.

    I ran several scans before finding this forum (NOD32, SS&D, Ad-Aware, Kasperspy Online) all of which found different problems which I then removed. Then on the basis of what I found online I also removed certain files and registry entries which unfortunately I can't remember the names of.

    I have since followed your instructions and have attached the required logs. I could not get combofix to work although I have a feeling it may have been one of the many things I tried last night having searched on various sites for solutions before arriving here.

    I hope the other logs are enough for someone to tell me if my machine is now clean.

    I thank you in advance and apologise for any noobie mistakes I may have made.

    edit: finally got combofix to work so have included this log

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I think Jase is doing the HijackLogs now. But I did take a look and saw 6 BHOs (Browser Helper Objects) running. Do you need those all running, all the time? Probably not.

    The Java Updates is running- you do NOT want this> jusched.exe. Control Panel> Java> Update tab> uncheck 'check for updates'. Same with the HP Update HPWuSchd2.exe. You do not want all these auto updates running! They will be accessing the internet numerous times during the day. From a safety point, this is not good.

    Be sure the Adobe Reader isn't on startup. You can stop everything through the msconfig utility that doesn't need to start when you boot and run in the background.
  3. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Hello and welcome to Techspot.

    Your system is infected with what looks like a rootkit.

    Run AVG Antirootkit again and have it fix the C:\Windows\System32\Drivers\ahd9b7b2.SYS file.

    Other than that, your logfiles look clean.

    Regards Howard :wave: :wave:

    This thread is for the use of withnail only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. withnail

    withnail Newcomer, in training Topic Starter

    Thanks a lot for your help, could somebody confirm I am now clean? I'll check back here in case anyone else noticed anything different or if things start behaving strangely again.

    I have tried removing the rootkit as suggested but every time I restart and rescan it picks up another rootkit. I noticed after the second time that the name of the rootkit changes ever so slightly each time.

    Thanks, Withnail.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome back Howard. I have a question. when someone posts their Hijack Log, is it just for the process of looking for malware. I frequently see things running that shouldn't be, at least not on automatic or on startup.- they aren't malware, but usually startups or BHOs. Do you not address this at all and is it okay if I do?

    It is not my intention to step on any toes, but I think handling these things does improve the performance.

    Thanks.
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Withnail: please do the following.

    Download the Panda Antirootkit programme.

    Unzip it and run the PAVARK.exe file.

    Tick the box that says In depth scan and follow the on screen instructions.

    DO NOT remove any UNKNOWN ROOTKITS at this stage. Instead, let me know the results.

    Please let me know the results.

    Bobbye: I only scan HJT logs for any malware that is present. I don`t bother stopping unnecessary process as my intention is to get rid of malware and not to try and improve system performance etc.

    If you wish to do that, then by all means be my guest.

    Regards Howard :)

    This thread is for the use of withnail only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. withnail

    withnail Newcomer, in training Topic Starter

    Howard thanks for your help

    I downloaded the program which initially didn't work (operating system not supported) so I changed the compatibility mode to XP then off again and it worked.

    When it ran the tick box although greyed out was already ticked. I ran the scan and it said no rootkits detected although it seemed to me that the scan was too instantaneous (less than a second) so I'm not sure if this has worked. Looking at it again I'm sure it hasn't worked as it says items scanned 0.

    Withnail
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Try downloading it again.

    The programme definitely takes a lot longer than a few seconds to scan.

    You could try running the Panda scan from safe mode.

    Regards Howard :)

    This thread is for the use of withnail only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. withnail

    withnail Newcomer, in training Topic Starter

    I tried both of those ideas already. Looking on their website it doesn't seem to be compatible with Vista.

    I did find someone with the same problem. http://forum.grisoft.cz/freeforum/read.php?11,106465,backpage=,sv=

    Other than this the original symptoms are not present (shut down icon,task manager etc.) and haven't been since some of my earlier scans. I'm still getting the feeling something isn't right though. :(
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ah, I see. Vista isn`t compatible with a lot of software, unfortunately this can cause major problems when trying to clean infections.

    I`m definitely worried by the randomly named files that are found by AVG Antirootkit.

    Do you have daemon tools installed?

    Regards Howard :)

    This thread is for the use of withnail only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. withnail

    withnail Newcomer, in training Topic Starter

    Yes I do have daemon tools installed. How might that help?

    Thanks for your concern, I'll be honest I could reinstall Vista without too much hassle it's annoying me though because whatever was here seems to be 99% gone. Nothing else I do seems to pick up any malware.

    Are there no other rootkit removers that might help? Or manual fixes?
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    From some research I`ve done, it looks like Daemon tools creates a randomly named .sys file every time the computer is started. This may well explaing the random file names that AVG Antirootkit is finding. If that`s the case, then there`s nothing to worry about.

    One way that might confirm if it is daemon Tools that`s the cause, is to uninstall it and see if AVG still keeps finding the random filenames.

    Regards Howard :)

    This thread is for the use of withnail only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. withnail

    withnail Newcomer, in training Topic Starter

    I think you've cracked it. Thanks for your help.

    Do you think I can safely assume that there are definitely no traces of any malware left? Would something left over likely rear it's ugly head in a very visible way fairly shortly?

    My only last question is, What did I do wrong? I have NOD32 (legal) Windows Defender and Windows firewall running all the time. I use Firefox and CCleaner daily. There is a small possibility that I pressed the wrong button on a NOD32 pop-up (although that's not like me) as those pop ups where the first thing I remember seeing before I started having problems.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.