TechSpot

Very bad virus please help

By diziego
Jan 20, 2010
  1. my dad was using my computer yesterday and always falls for the stupid fake "antivrus cleans" that pop up on the internet. there is tons of security warning pop up messages that say "Application cannot be executed. The file wscntfy.exe is infected. Do you want to activate your antivirus software now? if you click yes it takes you to a fake antivirus website and seems to pop up on the taskbar.
    please help
    i have no idea what to do and it wont let me run any programs except for mozilla.
     
  2. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Tell us your computer brand, model, and configuration.
    Tell us you antivirus and antispyware programs
    or download and run the free versions of Avir Antivir, Microsoft Security Essentials, Windows Defender, MalwareBytes, and SuperAntiSpyware.
    It may take all of those programs to completely clean your machine, or it still may not be enough.
    In which case, come back to TechSpot and run the 8 steps.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    diziego, please follow the steps HERE.

    When you have finished, please attach the 3 logs to your next reply.

    Be sure to check the lines in Malwarebytes and Superantispyware to remove the malware found.
    Don't make any removals in the HijackThis log- I'll help with that.

    Attention Raybay: Please use the link to refer members to the steps for preliminary cleaning:
    http://www.techspot.com/vb/topic58138.html
     
  4. diziego

    diziego TS Rookie Topic Starter Posts: 23

    i dont know if you were suppose to have a link under the word "here", but i went on ahead and did the superantispyware hijackthis and malwarebytes scans. my logs are attached below
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Oh my goodness! Here I was chewing another member out for not leaving the link and I forgot to put it in! I edited the post and it's in now, but I appreciate you going ahead anyway. The steps can be found HERE.

    Before we do any cleaning, you will need to resolve this:
    I have noticed that you have multiple antivirus programs running.
    Norton Internet Security
    Avira


    You should decide which you want to keep and remove the others for the following reasons:
    • Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
    • Multiple antivirus programs can also slow down the system.

      If you are using a paid program, Consider removing the free programs. If you are using a Trial of a paid program, please decide which programs you would like to keep and remove the others. You will find the following removal tools helpful:
    • Norton Removal Tool Download tool, save to desktop.
      Note:Security programs are best removed while in Safe Mode. Download the removal tool and save to your desktop. Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
      Double click on the Norton Tool you saved to run. Follow onscreen prompts
      OR
      Begin the removal process for Avira below.
    • Avira Uninstall steps:
      [o] Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
      [o] Wait for the list of installed programs to load, then click the name of the Avira program.
      [o] Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
      [o] Press Yes, to confirm the removal and then OK.
      [o]. Click Next until Finish. The software is removed.
    -----------------------------------------------------------
    P2P or 'file sharing Warning:
    I notice that you are running this P2P program: uTorrent
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    ------------------------------------------------
    When you have resolved the above, please remove the version of Malwarebytes you have (v1.3.8) and the log it crested, and download and run the current version v1.4.4 from the site link. You also forgot to check the removal line I pointed out:
    so the malware entries it found show No Action Taken. So you would have had to rescan even if you had used the correct version.
    ----------------------------------------------
    If you did not check the comparable line in SAS, update and rescan again.
    Rescan with HijackThis when finished.

    Attach logs for all three of the scans in next reply.
     
  6. diziego

    diziego TS Rookie Topic Starter Posts: 23

    ok i did all the steps
    here are my logs
     

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I'm behind- again! I noticed you have this same entry twice:

    C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
    C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe


    Suggest you check Programs through Windows Explorer to make sure you don't have 2 copies. This had a lot of bloat with it.

    The following are some processes you likely don't need on Startup- or at all:
    Please reopen HijackThis to 'do system scan only.' and check the following as instructed:

    These 2 files are to enable multiple display monitors on a single computer. If you are using it, leave. If not, check for HijackThis to remove:
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook


    This is for a Multimedia Keyboard companion on HP computers. If you use it, leave. If not, check for removal:
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

    This is for Logitech Multimedia keyboard. If using, leave. If not check for removal:
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

    You do nit need these programs to start on boot and run in the background. Check for removal, then take off off the Startup menu:
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab


    Additional for the Eset scan: Open Tools in IE> Manage add-ons> Disable the Eset entry when we are finished. (you will use it once more)

    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    Follow with online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please attach SDFix report, Eset log and rescan with HJT, leaving new log.
     
  8. diziego

    diziego TS Rookie Topic Starter Posts: 23

    ok i finished the steps.
    i had trouble finding:
    C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
    C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
    so i dont know if i fixed that
    some things that you told me to fix on hjt i couldnt find but i did everything as best as i could
    i attached my logs below
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please describe what-if any- system problem related to malware remain.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\Owner\Local Settings\temp\NERO1005263\unit_app_75\Toolbar.exe	
      C:\\Program Files\\LimeWire\\LimeWire.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Make sure all entries for the Ask Bar are removed:
    Uninstall in Add/remove Programs
    Use Widows explorer> My Computer> Local Drive (C)> Programs> right click> delete any folder for Ask Bar.

    Regarding the 2 Norton entries: I want you to take the same Windows Explorer path as above for Ask Bar. See if you have two Norton Internet Security folders. IF you do, do a right click> Properties on each and check the contents. Don't remove- just tell me what properties they have.

    The SDFixc doesn't look like a full scan. Depending on remaining problems, I may have you repeat it.
     
  10. diziego

    diziego TS Rookie Topic Starter Posts: 23

    i didn't seem to find 2 of the Norton files or any of the "ask" files. i did the OTMovit
    and attached my log below
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you reboot to finish the removal?
     
  12. diziego

    diziego TS Rookie Topic Starter Posts: 23

    yeah everything seems to be fine now, just alittle bit slow. anything we could do about that?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I rechecked the first HJT log. There are a few processes you can stop, but they won't make that much difference. I will point them out to you if you run a new HijackThis scan.

    How much RAM do you have installed?
    Control Panel> System> General tab> RAM should be seen on the lower part of the screen.
    That can make a big difference. Windows XP needs at least 512MB of RAM to run well- more if you do high resource uses like music downloads, video viewing, etc.

    If you consider the work finished, you can remove the cleaning tools and old restore points. But don't do this yet if you want to continue:
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.[​IMG]
      [*] If you are prompted to Reboot during the cleanup, select Yes.

    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...