TechSpot

Stuck on malware scan

By Arsenalman
Jan 10, 2009
  1. Hi every one my cousin has a virus on her laptop and I'm trying to guide her through the 8 step guide because you have helped me on one of my pcs in the past. I dont have her laptop in front of me so its adding an extra level of difficulty.

    as far as I know the laptop is 2-3 yeas old the prosessos is probably an intel one but I don't know which one (likely to be dual core) and it has windows xp on it.

    she has symantec antivirus installed on her PC but it no longer updates.
    her problems started when a bubble on the taskbar kept popping up telling her that symantec wasnt updating and that windows automatic up date wasnt working.

    I asked her to install Avira and it detected some things and I told her to quaranteen everything it finds. (She couldn't uninstall symantec)

    the problems seemed to go away but then the next day she told me that they were back. IE says it is blocked and I think she couldn't use Firefox either. she said that she got a popup for antivirus 2009 and she did a scan.

    After that the laptop seems to have gone from bad to worse. she was at a point where she could only see the desktop background and avira kept on popping up with detections.

    I told her to go to an other pc and I got her to download all the programs in the 8 step guide.

    we had to install the programs through the control panel after we did CCleaner the start bar and the menu buttons appeared

    we are now stuck at the malware scan step 4. she was scanning but the computer froze she said it found 40 infected objects having scanned 102426 objects. as it didnt finish the scan and froze it didn't give her a log file.

    she also told me that Avira keeps popping up with a detection that reads
    C:\WINDOWS\system32\urqNDSIx.dll Is the TR/monder.akld Trojan

    and she has been selecting quarantine.

    I am wondering if I should ask here to go into safe mode to do a scan but I am already past the limits of my knowledge when it comes to this sort of thing so I am hoping someone can advise on the best course of action

    I have tried to be as descriptive as I could about what has happened but let me know what other information would help you to advise what steps we should take.

    thank you

    ok I asked her to put it into safe mode. I wasnt sure but we put it into diagnostic startup and she is running malware again
     
  2. rev_olie

    rev_olie TS Maniac Posts: 560

    If it is popping up with Antivirus 2009 then try this:

    Go to my site here

    Download Smitfraud fix

    Then follow my instructions on my site above. Then post the log produced and see if anything works any better.

    Then if so follow through the 8 steps instructions.
     
  3. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    ok we fanally have the logs if you could check them out.
    she told me that the computer seems fine now she isnt getting the updade popups she was getting before

    we werent able to do any updates though because she couldnt connect the laptop to the internet where she was.

    I attach the logs we have and look forward to any recomendations.

    we didnt fix anythin from the hijackthis scan we just saved the log file.

    hi rev
    I just saw your reply I forgot to refresh the page.
    now that we have the logs should we still try your recomendation. I'm a bit worried about the warning on your site

    "Caution! Caution! Caution! Caution! Caution! Caution!

    This is very very prowerful software and must be used with extreme caution. In uncap-able hand this can cause problems on your entire system. Don't say you haven't been warned"
     
  4. SpiritWind

    SpiritWind TS Rookie Posts: 164

    2 antivirus programs

    Hi :

    It is a security NO-NO to have 2 antiVIRUS programs "running" on a computer,
    such as Symantec/Norton and Avira/AntiVir. since they "conflict" with each other
    causing a reduction of coverage . So IF you and she decide to retain Avira, then
    Symantec/Norton could be "Uninstall" by using the "Add or Remove Programs"
    section of the computer AND then run the "Norton Removal Tool", One of which
    is available at www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

    P.S. I do not think "rev"s Smitfraudfix should have been recommended in the 1st
    place; was probably only because you said could not get Malwarebytes scan to
    finish .
     
  5. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    I think that she might have paid for norton so assuming that it still updates Ill get her to remove avira.

    otherwise do the logs seem ok?
     
  6. rev_olie

    rev_olie TS Maniac Posts: 560

    Haha sorry,

    That caution is just to put people off until i tell them to use it.

    Go ahead, its absolutley fine.

    Then re post with the log from Smitfraudfix along with a fresh Hijack this log and new malwarebytes and superantispyware scans.

    The recommendation SpritWind was on the basis that the user had pop-ups from Antivirus 2009. This is the recommended fix and will give the best removal while we were waiting for the HJT log. The instructions should still be followed through.
     
  7. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    good morning
    when she got back home she told me that when she tried to use IE a page came up saying something about Antivirus 2009 it wasnt a popup from what she sad it seemed to be similar to a page load error.

    she said however that if she pressed back she could go to the page she wanted.

    Antivirus 2009 is evidently still thereI will get her to do your recomendation and post the logs. Thanks Rev
     
  8. rev_olie

    rev_olie TS Maniac Posts: 560

    Yep definatley go with that and then go and follow the 8 step process again and get all of the log. Malwarebytes and Superantispyware are updated very regularly and so make sure you check for updates before scannin to be sure.
     
  9. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    she is having difficulty getting it into safe mode using F8. is thia the same as putting it into diagnostic mode through msconfig?

    is there an other way to do it?

    ok she got it
    shes in safe mode
     
  10. rev_olie

    rev_olie TS Maniac Posts: 560

    Ok if shes in safe mode then follow the instructions and post the log.

    Just to make sure you saw the edit and comment by kimsland, in the future can you use the edit button instead of replying again it makes it easier that all. Thanks :)
     
  11. Arsenalman

    Arsenalman TS Rookie Topic Starter Posts: 18

    new logs

    Sorry about the delay.
    She had an exam so she had to put off doing the scans.
    I have attached them.

    She did the scans in safe mode because malware and SAS kept getting stuck otherwise.

    The visible symptoms she has described are with IE specifically it does not load pages saying they are blocked.
     
  12. rev_olie

    rev_olie TS Maniac Posts: 560

    That Ok,

    This is a really busy Hijack this log. There has been allot been removed.

    To help me look through your scan better I'm going to ask you to remove some bits now so i can search better.

    Please go back into Hijack this and click Scan. Check the boxes next to all the entries listed below:

    Code:
    O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
    O2 - BHO: (no name) - {32CC2065-AF28-4CC5-85DF-1FCF78FB2DF6} - (no file)
    O2 - BHO: (no name) - {35FC4D45-1918-485A-9237-863F78871541} - C:\WINDOWS\system32\byXRjklJ.dll (file missing)
    O2 - BHO: (no name) - {426646a5-b3d5-421b-90b1-5ed78529bad7} - (no file)
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
    O2 - BHO: (no name) - {698109a6-c66d-48ab-b1fc-bb2490fe7406} - (no file)
    O2 - BHO: (no name) - {6A6C1E87-D6C5-4F07-AEC4-CFE2EAA62981} - (no file)
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {8b1bdea1-1b24-4f1f-8816-3e69844bb164} - (no file)
    O2 - BHO: (no name) - {a78e157e-85c1-432f-af4d-9fa096f4fbfc} - (no file)
    O2 - BHO: (no name) - {E3B21DE9-0EAA-406B-ABE5-275A0782B5A9} - C:\WINDOWS\system32\urqNDSIx.dll (file missing)
    O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
    O2 - BHO: (no name) - {F4D3B047-0C10-4734-B9CB-7A8011626202} - (no file)
    These will help to clear up the log.

    Now a few other things to bring up.
    • 1, What were the results of the Smitfraudfix scan. Did it appear to find anything? did anything improve afterwards?[/*]
    • 2, Are there any pop ups remaining?[/*]
    • 3, You have 2 Antivirus installed. Avira and Symantec. You only need 1 installed. You should remove on my opinion the Symantec antivirus. If you uninstall one or the other please let me know in your response[/*]
    • 4, You have a P2P program installed. I begun the process of removal and so i will continue but please be aware that this will not help your security level at all.[/*]

    In your next reply please post RUN AND ATTACHED in this order:
    • A fresh Malwarebytes scan. UPDATE BEFORE SCAN[/*]
    • A fresh superantispyware scan. UPDATE BEFORE SCAN[/*]
    • A fresh Hijack this log. This should be run AFTER the malwarebytes and Superantispyware scan.[/*]

    Also include the answers to the 4 questions above.

    EDIT: Please before running Hijackthis next, please right click the icon and rename to something other than hijack this, like "you cant hide from me" or "crusty" as some forms of malware can hide from the Hijack this name.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...