Help with viruses - 8 steps complete

Status
Not open for further replies.
Hello all, I am working on my son's pc that didn't have an antivirus for a while and he had several trojans and spy-ware files. I have since loaded Norton on his pc and have done all of the 8 steps you recommended. The pc is still running terribly slow and seems to still be off a bit. Can you please look at my log attached logs and tell me what else I might need to do?

I also want to thank all of you for the wonderful work you do! Your awesome and I appreciate all of your help!
 

Attachments

  • mbam-log-2009-03-30 (11-04-04).txt
    1.9 KB · Views: 6
Both MBAM and SAS had found items and could find more so UPDATE both and run both again. Quick scans. Post logs.

Norton is one of the best ways I know to slow bog down a computer.

Mike
 
updates logs

Hello Mike, I have re-scanned with MBAM and SAS with the update and it found nothing. Here are the attached logs. I know Norton can slow down a pc a bit but I have it on several pc's here an it doesn't slow it down as bad as this one which had the viruses and trojans. Thanks for your help
 
Please disable Real Time Monitoring per Step 3:

AD-AWARE AD-WATCH
* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

Didn't anyone realize that the first set of logs actually has 2 SAS logs. the log named mbam was SAS!

Remove bad HijackThis entries
• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {E862B922-9C1E-488E-AAC3-D3C93CB16429} - (no file)
O20 - Winlogon Notify: gqckoxjm - gqckoxjm.dll (file missing)
O20 - Winlogon Notify: hgggdbb - hgggdbb.dll (file missing)

Run LSP Fix:
Step 1: Download and run LSP-Fix
Download LSP-Fix HERE and save it into its own directory.

Step 2: Once the exe file is on your desktop, double-click on it to open

Step 3. In the left hand column, you should see the NWPROVAU.DLL file listed. Click on it to highlight, then click the arrow in the middle of the screen that points to the right
You may also see gqckoxjm.dll and hgggdbb.dll. Highlight and move to right also.

This will move the filename to the right-hand column labeled Remove

NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

Step 4. Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry. Close the LSPFix program now.
5. Run Hijackthis and the entry for NWPROVAU.DLL should now be gone from the list.
 
new scans

Thanks Bobbye for helping. I have done all of what you requested. I have rescanned and I am attaching the new files. Sorry about attaching the wrong files in the first post.
 
OK run HJT Scan Only select and Fix the below.
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

Then do the below..

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike
 
Good! That cleared out some unwanted entries!

But at the risk of sounding pushy, I remind you once again of this:
From Virus and Malware Removal Prelims: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Step 3
Temporarily Disable Real Time Monitoring Programs

This is because some real time protection programs can interfere with any fixes we are trying to run.

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

Disabling instructions in my Post #4
If you have other protection that may need disabled feel free to ask in your thread in the security section.
Once your system is clean, you are advised to turn the protection back on.

Did you son ever have AVG on the system? The pesky entry below is a 'let'over' Registry entry from AVG:
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
{A057A204-BACC-4D26-9990-79A187E2698E}> AVG

You might have to search the system, including 'show hidden files and folders' and look for and delete any AVG entries.

Party Poker is going to leave malware on the system:
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing) (HKCU)

Mike, instruct on Adobe Update or or FoxIt Alternate. Version on system now is Acrobat 6.0
 
Hey Bobbye, I am sorry about the real time monitoring, I do disable it before doing the scans but I have rebooted right before doing the logs (duh) and it re-enables. I am sorry about that I will keep a better eye on it. As for AVG yes he has had that on before. I will search and delete any thing found left over. Should I delete the 03 toolbar and the party poker from hjt? Also I will update Acrobat and get back to you. Thanks again

Thanks wonderful people for helping. I have updated Adobe, done the combo fix, gottten rid of the 03 toolbar and deleted everything that had to do with AVG. AND I made sure this time I didn't reboot so realtime scanning is still shut down.
 
OK on AdWatch, but is should not come back on if you follow the steps to disable.

Sounds like you're coming along fine. He may go back to the Party Poker site, but encourage him to stay away. These gaming sites, Party Poker in particular, are notorious for the trash the put on a system,

Regarding the Adobe Reader: Most of us think that it is the only PDF reader in town- for a while early on, it probably was. But it comes with a huge amount of bloat. This takes up hard drive space and uses a lot of resources when it's running. The alternate which many of us have gone to it FoxIt which Mike recommended.

IT is free, it does the same thing as the Adobe Reader and it comes without bloat. Give it try sometime. If using it, you can go to Add/Remove Programs and remove the Adobe Reader and it's bloat files.

IF you go to the FoxIt site, make sure you click on "Free Download" NOT "Get It Free." The first is the free reader which is all you need and the second is a paid reader plus other utilities and apps you DON'T need.

Be sure to UPDATE ComboFix before scanning again.

Happy computing!
 
updates logs

I have done the avg fix and the kapersky download...although it looked as if nothing happened. I have uninstalled acrobat and installed foxit and had the dreaded talk with him about the poker site. Hopefully we are getting close. Here are the updated logs. Thanks again for all of your help.
 
You did a great job!

Do the below and we are finished!

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike
 
This is all FYI! Use it or lose it. You should draw a bargain with you son that if he doesn't surf safely, you won't clean up his machine!

The Ask Bar has found you- again! Something everyone needs to be aware of and look for: many software makes are pre-checking something- usually a Toolbar, on their update sites. You can see this here: Sneaky, sneaky!
2009-04-12 02:22>> c:\program files\AskBarDis
2009-04-12 02:21 >>c:\documents and settings\PJ\Application Data\Foxit
2009-04-12 02:21>> c:\program files\Foxit Software
The above is from the ComboFix report. It's not malware, but it clearly shows hat Ask Bar came when you downloaded Foxit! We usually tell people to remove the AskBar as it is very "ad" loaded.

The interesting thing is that the AskBar is already loading from the Registry! Note the date:
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects>> 2008-11-18 17:58 c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]>>
"c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]>> "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
The bad news is that it looks like he has Limewire stashed!
"c:\\Documents and Settings\\PJ\\My Documents\\My Music\\iTunes\\LimeWire\\LimeWire.exe"= This is a file sharing program. From kritius:
I'd like you to read the Guidelines for P2P Programs: http://spywarewarrior.com/viewtopic.php?t=26216 where we explain why it's not a good idea to have them.

If you want to remove AskBar, check the following entries and let HijackThis remove them. When through, boot into Safe Mode, use msconfig to take AskBar off of Startup, then uninstall is in Add/Remove Programs in the Control Panel. (Ignore nag message when you reboot, check 'don't show again..' and close,
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
Party Poker:
Have HijackThis remove this button:
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing) (HKCU)
About Party Poker:
The program is a privacy and possible security risk, and I recommend you optionally uninstall it. If you chose to do so, go to Start > Control Panel > Add or Remove Programs and remove the following program:
PartyPoker

Then, using Windows Explorer, delete it's program folder at:
C:\Program Files\PartyGaming


You may want to stop this from running in the background: Check for HJ to remove, then:
Open IE> Tools> Manage Add-on> find the Panda entry> highlight Disable.
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

Mike will handle the important 'stuff'!
 
Status
Not open for further replies.
Back