Solved Virus help

Status
Not open for further replies.

bugbitten

Posts: 6   +0
Hi a friend told me this was the place to ask for help in getting my machine properly clean..

I've gone through the 8 steps and attach log files, before doing I had run malwarebytes, superanti and avg which cleaned alot, so am hoping there is not that much to get rid of.

any help would be greatly appreciated.

Thanks
 

Attachments

  • hijackthis.log
    8.7 KB · Views: 1
  • SUPERAntiSpyware Scan Log - 03-11-2010 - 14-02-01.log
    1.7 KB · Views: 2
  • mbam-log-2010-03-11 (12-52-13).txt
    864 bytes · Views: 2
bugbitten, I will check your logs. But please tell me what problem(s) you're having.
 
thanks

Its my mums computer, I used it the other day and doing anything on it was soo incredibly slow; so knew it had lots or rouge software on it.

its better now after lots of ad-ware & Trajan s have been removed, but want to make sure its fully clean as they usually come back again.

the super anti spyware lists Gen-nullo, this was already removed and has come back.

Not sure what else you need to know.

thanks
 
Thank you. It helps us to know what the problem is. As for slowness, there can be many reasons for that. We will evalute the system for malware here to see if it is contributing to the slowness.

You have malware in the System Restore points. I will have you remove them and set a new clean one when the system is clean. But please don't dio any System Restores now as it will reinfect the computer.

Let's make sure everything if found and removed. Then I will make some suggestions for processes that can be taken off of startup.

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Rescan with HJT when finished and include new log with the Combofix report and Eset online scan log.

I suggest you update AVG to v9 which is the current version. You still have v8.

Question:
1. Did you have Microsoft Money, but are no longer using it?
2. Did you have an HP printer/scanner/copier but are no longer using it?
3. Are you using en Epson printer now?
3. Are you aware of a program named Big Fish on the system and do you use it?
 
next

Hi Bobbye,

done them thanks.. attached are the log files..

1. Did you have Microsoft Money, but are no longer using it?
yes, not required. I have removed via 'add remove'

2. Did you have an HP printer/scanner/copier but are no longer using it?
yes, no longer required

3. Are you using en Epson printer now?
yes, required

3. Are you aware of a program named Big Fish on the system and do you use it?
yes, not required. I have removed via 'add remove'
 

Attachments

  • _combo-fix.txt
    16.8 KB · Views: 1
  • _ESET_log.txt
    827 bytes · Views: 1
  • hijackthis.log
    7.7 KB · Views: 1
Thanks. You had entries for all of these and I didn't want to have you remove something you were using. It looks like AVG v9 was downloaded and installed as a new program instead of updating from v8. you may have needed to do the separate install, but there are multiple entries loading from AVG v8.

Check in Add/Remove Programs in the Control Panel. If AVG v8 is listed there as well as Avg v9, please uninstall AVG v8. Then>

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Using Windows Explorer: Windows key + E> click on My Computer> double click on Local Drive (C)> click on Programs> AVG: if you show 2 folders, find v8 and delete it. IF you only see 1 folder, double click to open> look for any v8 files and delete.

Then exit Windows Explorer.

There are also several Update Setups, mostly for Real Player. When you download a program and save it to your desktop, the saved file is called the 'setup.' Most programs will eventually remove the setup once the program has been installed. But what I'm seeing is a process used on IMB computers for incremental updates. I also see setup 3.10 which indicates possible files sharing.

Here are 2 examples:
c:\documents and settings\david cooper\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
c:\documents and settings\david cooper\Application Data\Real\Update\setup3.10\RUP\vista.exe


Can you help me out on these files? You should be able to remove the setups once the program is installed, but I am not familiar with the RUP process which is described as:
Rational Unified Process (RUP), the IBM / Rational Software development process

I don't see any malware in the logs. Is there any obvious problem with the system now?
 
next

Hi Bobbye,

Seeming quite well at the moment now, computer more responsive and cant see any internet communication when there should not be.

removed AVG8 stuff via safe mode

just removed all real player, including everything in:
c:\documents and settings\david cooper\Application Data\Real

I've installed Zonealarm firewall to use instead of windows firewall.

one thing though, I keep on getting 'google updater' trying to connect to the internet, its listed in the attached last hijack log, just in services I have it set to disabled, not sure how its starting itself after a reboot. I could just delete it but sure there is a better way to remove it...


Thanks
 

Attachments

  • hijackthis.log
    7.3 KB · Views: 1
About the Google Updater: I can tell you how to turn it off and if may stay. But I have 'caught' mine sneaking back to the Startup menu! Here's a comment from Google Groups that pretty well sums it up:
The current incarnation of Google Updater installs itself in three places:
1) It sets up a scheduled task called "Google Software updater" that runs on two schedules:
EVERY DAY at 12:12 PM (this time might be random on your machine)
and also EVERY 20 MINUTES FOR A DURATION OF 100 DAYS (2400 HOURS) beginning when you installed Google Updater.
2) It sets up a service that runs ON EVERY SYSTEM BOOT (automatic service start).
3) Finally it sets up an APPINIT DLL -- meaning something that runs IN THE MIDDLE OF THE WINDOWS BOOT PROCESS BEFORE SERVICES HAVE EVEN STARTED.

This is EVIL. EXTREMELY EVIL. VERY ALL EXTREMELY EVIL. It is clear that they want to have contact with your computer whenever they feel like it, and I do NOT grant them that permission, regardless of what they think they can enforce with evil tricks and with their EULA.

I will run Google Updater EXACTLY AS LONG AS I WANT TO, WHEN I WANT TO, AND IMMEDIATELY AFTER I WILL DISABLE EVERY AUTOSTART THAT IT JUST SET UP. Got that Google? It's MY MACHINE, NOT YOURS.

Directions for Removing the Updater: Uninstall the Updater HERE.

Remove all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • DownloadOTCleanIt by OldTimer
  • Save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Let me know if you need help in the future.
 
Cheers

Thanks tons Bobbeye,

frikken google, I love their online products have always stayed away from their PC based products, mind you loads of companies are starting to behave like malware, I have had itunes reinstall components after fully installing the whole product base before as well.

You've been of great help... if I could pose a suggestion, not sure exactly how this site runs, etc. but you should have a 'happy with your help, donate' paypal style button..

I have read through a few of the forum trails and you Broni et al, provide such a helpful and useful service that you must actually bee saving quite a few people money in time and effort of saving their computer config and years of personal data (no one wants to wipe and start again, even with backups; they could be corrupted).

I would happy have donated.

All the best, will follow your last instructions.... and thanks again. might come back if I get any wobby moments with the PC, but it seems nice and clean.
 
btw..

I looked at the google uninstall page..

1) uninstall from start menu, its not in there anyway
2) ininstall from from control panel, its not there anyway
3) uninstall via command line, did not work. no response message either

so instead i disabled the service, and manually deleted the google directory under program files.. had to reboot first.

I realise not a good thing to do but F them, I would rather deal with pop up errors then let them take the piss.
 
Thanks for the offer about a donation. I do see many site that have this feature, but I don't think TS is one of them. While I'm sure the site owner appreciates your offer, it seems that the preference is to offer free help and information- that's always been my thought. If I'm wrong about that, I'll let you know.

That was a pretty strong quote about the Google Updater, wasn't it? It's on everyone system in the logs I see and somehow, Google gets around whatever we do and puts it back on. I have only 4 processes on Startup which I recheck often. Darn if Google Updater doesn't get back on!

Now that the system is clean, here are some tips to keep it that way- Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:
  • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security
  • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .
I'm going to close this thread as Resolved. If the problem begins again, you can send me a PM and reference this URL: https://www.techspot.com/vb/topic144313.html#post862915
 
Status
Not open for further replies.
Back