How do we remove ALL residual infection?

By guyzie · 20 replies
Jan 15, 2009
  1. Hello!

    I completed the 8 steps a few weeks back and the problem seemed to be under control so I didn't upload any logs. This week I noticed another infection relapse again, probably because it was never removed to begin with.

    I am uploading my logs to you now and hope that you see something that may be causing this to happen.

    Also is there any definitive way to remove all possible residual infection without having to reformat the computer? Any suggestions on programs that is the best "disinfectant" for viruses and malware?

  2. adweston

    adweston Banned Posts: 242

    The reason is because the 8 steps don't deal with a few key issues regarding infections.

    The biggest issue not addressed is rootkits. We experimented with this today at the office, using the tools mentioned. At the end, we installed Kaspersky Internet Security 2009.

    The second the computer rebooted after Kaspersky was updated, etc, it caught an infection. The infection was named Temp01.exe, buried deep in the folder tree, called from an entry point in the registry that absolutely none of the logs in the 8 steps pointed out.

    What happens, then, is this. The rootkits, typically trojan downloaders, open up a back door to your computer. Just like the Trojan Horse in the War of Troy, they invite other infections. In no time whatsoever your computer will be infected all over again. Unless you are a professional well versed in rootkits and kernel hooks, chances are very, very high of rapid reinfestation.

    If I may recommend some steps for you to effect a nearly fully automated process, it would be these:

    2) Download Malwarebytes
    3) Download Hijackthis
    4) Download Rootkit Hook Analyzer
    5) Download AVG 8 Free or Avira. I used to love Avast, but this year we've seen numerous infections that Avast can't deal with effectively, failing to remove the key components.
    6) Download WinsockXP Fix

    It is of utmost importance that you follow these steps precisely. If I incorporate it into a guide I will incorporate details from the 8 step guide. For now, use that guide as a reference for tips on how to use the programs mentioned.

    Run Combofix in Safe Mode (Press F8 repeatedly after the BIOS post screen). Tutorial and current status is here It is important that you read the tutorial before proceeding!

    Restart in normal mode and remove any old protections, including Spybot. Removal tools are available for AVG, Norton and McAfee.

    Install/update AVG8 or Avira. Preferably AVG8 due to it's superior antimalware/rootkit component. Avira Antivir Pro is the good one, but it's a paid product. The other two best paid products are Eset NOD32 and Kaspersky.

    Install/update Malwarebytes.

    Do a full system scan with Malwarebytes. AVG 8 will pick up little pieces along the way with it's Resident Shield. Quarantine them. At the end of the scan, click "view results" and then "repair all unhealed infections".

    Do a file cleanup and registry cleanup with CCleaner (uncheck the installer category before analyzing/repairing). Do NOT forget to save a backup of the registry before cleaning all entries (you will be prompted for this). The reason for doing the CCleaner registry cleanup now and not earlier is because it will remove broken registry entries left behind from the malware cleanup, especially in the case of removing infections called from abnormal entry points.

    IMPORTANT NOTE!: It is absolutely imperative that you save a backup. CCleaner can break your HP printer driver install, necessitating a reinstall of the driver disk. It can also break applications served up by a terminal server or installed from remote locations. To avoid this, uncheck the "application paths" category. You can quickly recover the repairs by double clicking on the backup file and saving it back to the registry.

    Do a scan with Hijackthis and save the log. Do not edit any of the entries at this point.

    Do a rootkit scan with Rootkit Hook Analyzer (click on Analyze). When the scan is done, do NOTHING except click the Export button and export the log to a text file.

    Finally, at the end, do all Windows updates, java, flash and shockwave to address key vulnerabilities. Be careful if you have an AMD based machine, especially HP and Compaq, in installing SP3. There is a file in the system32\drivers folder called intelppm.sys that will cause the computer to blue screen on reboot every time until you rename/remove it (this can be done from Safe Mode).

    If, at the very end, you can't connect to the internet, run WinsockXP Fix if you run Windows XP. If you run Vista, right click on the network connection and click diagnose/repair. Finally, restore your browser defaults (Under Tools > Options > Advanced)

    Directions on how to use most of these tools is in the 8 step removal process thread.

    Upon completion, post all logs in this thread and I'll take a look at them for you. As you may have been able to tell, I combat infections professionally, numerous times a day. 99 times out of 100, we do a complete repair without reformat. In other words, I'm very, very good at what I do. :) Many moons ago I used to distribute infection code on a BBS. These infections were capable of totalling hard drives and even motherboards and modems. Fortunately I grew up and now fight for the other side.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    guyzie, I would like to offer you an alternative cleaning program. You are free to follow whichever you want:

    First, IF you did a System Restore, it is possible that you have reinfected the machine. Malware has been found in the restore points:
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{D34DC7D9-5069-4FEB-891F-37A59618FF48}\RP504\A0086883.DLL

    These are protected files and because of that, malware cleaning programs do not remove it. We have you drop all of the old restore points at the end of cleaning and set a new, clean restore point. If you did a cleaning previously and weren't told about this, that may be why you got reinfected.

    The primary malware is Vundo. There is a special removal program for that which I offer you:
    Please download VundoFix.exe HERE
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside the item listed below (if present):
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application and boot into Safe Mode:

    Right click on Start> Explorer> Windows> System 32> then go up to Tools> Folder options> View tab> CHECK 'show hidden files & folders'> Apply> OK. Type in each of the files below. If found: right click> delete:
    Reboot into Normal Mode. Rescan with HijackThis and attach both logs.

    It is very likely that you may not find these files. Depending on the followup logs for the Vundo Fix and HijackThis, we may use a program called KillBox to find and remove them.

    Some of us handle the cleaning process differently. It is my preference to address what I see in the logs, then go from there. Please feel free to choose whichever method you are the most comfortable with.

    Either way, do NOT use the System Restore function while cleaning.
  4. adweston

    adweston Banned Posts: 242

    System Volume Information files are not protected. You can't access the folder from My Computer without taking control of it and giving yourself access permissions, but AVG 8 will actually scan that folder and remove the infections (spoken from plenty of experience).
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Ignorance is not bliss when it comes to computer information:

    To gain access to the System Volume Information folder, use the steps in the appropriate section.
    Microsoft Windows XP Professional or Windows XP Home Edition Using the FAT32 File System
    Windows XP Professional Using the NTFS File System on a Domain
    Windows XP Professional using the NTFS File System on a Workgroup or Standalone Computer
    NOTE: The System Volume Information folder is now accessible in normal mode to users of Windows XP Home Edition.

    Using CACLS with Windows XP Home Edition Using the NTFS File System: see site
  6. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    very good Bobby. This has been my experience too.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Anti-Virus :Software :
    AVG Technologies Free Edition
    " it can as easily restore an infected file if it had been in a protected area, effectively re-infecting your computer right after you have cleaned it. Because of this, it is recommended to turn off System Restore before you test, and when you're done, turn it back on so you are still protected from standard computer problems.",27725,27725

    Spybot Forums: Reply to AVG user:
    Let's reset system restore
    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.1. Turn off System Restore.2. Reboot.3. Turn ON System Restore.

    Every AVG user with malware is being advised to clear the restore points by the 'turn off/reboot/turn on' action. Even AVG Command prompts DON'T have anything to remove restore points.
  8. adweston

    adweston Banned Posts: 242

    It is it is.. So many people with paper smarts and no/minimal real world experience to back it up.

    We use and recommend AVG 8 Free every day of the week. I can tell you, 100% for certain, due to real, hands on experience, that AVG 8 does indeed scan and clean the System Volume Information folder.

    Take it for whatever it's worth, but it is truly the difference that experience makes....which is why I don't hire fresh blood out of the A+ program...

    And of course... I should probably mention that we use other tools for computer repairs (yes, we do them in the real world, not just "cyber tech" on a message board) that actually completely bypass NTFS permissions...

    This antique advice of deleting the system restore to prevent reinfection is very much last decade if you actually recommend, know and use the *right* tools. If a Snap-on tool does 10 times the job the Powerfist equivalent does, you use a Snap-on. The customer doesn't give a darn if you don't like Snap-on, or are personally biased against it.. All they care about is that you fix their car and it doesn't break a week later.

    But.. suit yourself. We've already seen what happened the first time around. It's kinda like putting bandages on Herpes or spray paint on a rust spot. It's fine I guess.. It gives them something to do.. But unfortunately it doesn't address the concern you put forth in your OP.

    EDIT: There's also a little known etiquette in this forum about more than one person trying to help. Kimsland has acknowledged this and follows that practice. It's a shame these posters don't do the same. They had their chance to bash my suggestions in the "suggestions" forum and gave a "bandaid" solution based on those statements that obviously didn't work. Maybe it's time to step aside and let someone else take a crack at it.
  9. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    asweston, I am going tired of you ranting about your 'experience' at the loss of anyone else having any!
    You continue to fling these insults when you know nothing about the people you are referring to. Some of us have been handling the cleanings here well before you came on. Many of us have different backgrounds and experience. But NONE of us have had to defend ourselves for what we know and don't know.

    Those of us who help out here and know what we're doing do not hesitate at all to ask for assistance if we think we need it. See, that's the big difference- we know our limitations- you don't. I offered this person a reasonable path for the cleaning, omitting all the extra downloads and scan you suggested. I wait until I see what I am dealing with- then decide if and which special program need to be added.

    Some of the helpers do have more experience and they have gained it by using both 'hands on' and 'hands off.' I bow to their expertise if I need it and have no problem telling the person who has the problem that I am going to ask for additional help. This isn't an ego trip- I am not threatened by the knowledge of others. But rather I use it when I need it.
  11. adweston

    adweston Banned Posts: 242

    Not really, but thanks anyways. I put forth an idea, it wasn't received well.. The end.

    Well, before this thread turns into a flamefest, I'll just say this thread is living proof of what I've spoken about all along, including the thread you referenced, and now it's up to the individuals seeking help which approach they wish to take.

    Claims...and results...are obviously two different things.

    And thus I have nothing further to add until the poster posts the logs I asked for.
  12. guyzie

    guyzie TS Rookie Topic Starter

    Thank you all very much for your help and explanations! There is clearly a lot of information here that I will need to read through before everything is clean on my end. I will check in once all these processes have been run!

    Thanks so much once again. It is clear to me that you guys care very much about the work you do!

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You're welcome.
  14. guyzie

    guyzie TS Rookie Topic Starter

    Hi again guys!

    So I've completed all the tests you've suggested for me and here is a breakdown of tests that were run:

    - ComboFix
    - Rootkit Hook Analyzer (aka SanityCheck?)
    - MalwareBytes
    - WinSock XP Fix
    - AVG 8 Internet Security installed and run
    - VundoFix

    After running ComboFix, I ran Rootkit Hook Analyzer and everything seemed ok. I ran MWB and ran WinSock Plus. Installed AVG 8 and it is way more effective than Avast. It was installed, cleaned, and removed infections. Real-time scanning an added plus!

    I decided after installing AVG 8 to run Rootkit Hook Analyzer and it caused a "Blue Screen of Death" twice when I ran it. So I skipped this and tried a Winsock XP Fix again after removing infections with AVG8. This "reset" the registry I think and I had to reinstall AVG8 for the firewall function to work again.

    Lastly, VundoFix was installed and found no other infections on my system which made me happy!

    Also I wanted to know if Avira AntiVir Pro is better than AVG 8 Internet Security (or vice versa) and how it is better, or any other packaged solution. Price is no issue.

    Please let me know from your analysis what final items need to be removed to finish the infection!

    Thanks for all your support and expertise!!
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Please un-install:
    AVG8 and then run the removal tool
    SpybotsSD (if installed)
    Then Restart

    Install Avira free AntiVirus
    Do a full scan
    And we may find out if it is better or not ;)
  16. guyzie

    guyzie TS Rookie Topic Starter

    Wow!~ More viruses found!!! I also installed PC Tools Threatfire as I saw a few other people on other forums said it would provide more well rounded coverage as well. Do you think this is so? I've uploaded the logfiles!

    Thanks for the help!
  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I don't find PC Tools Threatfire all that good
    Avira and MalwareBytes are the best I feel ;)

    Clear & Reset System Restore's Cache

    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    * Tick on the checkbox - Turn off System Restore on all drives
    * Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK


    How does it seem to be performing now?
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    As far as I could see in your original HijackThis log, (Post #1, then again later in Post #14, the antivirus program you had in the system was AVG v8. But later you state:
    You asked:
    and it was suggested that you "uninstall AVG v8 and install Avira."

    On Post #16, you state you installed: " Threatfire" and left a scan report named AVSCAN. Upon investigation of the name AVSCAN, I find:
    So it would appear that you used either an online or on demand scanner. That log states that 28 viruses and/or unwanted programs were found a28 files were moved to quarantine. The next move would be yours- to delete those files from quarantine, rescan and see if those files remain deleted.

    Unfortunately some digression in your problem occurred and you were told to run additional scans with additional programs, but nothing was followed up.

    At this point I will say: work with the antivirus program you have. Update and scan. See what is found and make sure it is put in the virus vault or quarantined. Once there, it will not affect your system and you may delete it. It does not sound like you are doing the last step. You have no consistency in your security program handling and until you do, you are not going to have control over this problem.

    Not all AV program scan exactly alike. Some have a record of finding more false positives than others and you could probably run 6 scans with 6 different programs and only a part of each would be exactly alike. Some lean more toward 'heuristics' where the scan is based more on "sounds like" rather than "is."
  19. guyzie

    guyzie TS Rookie Topic Starter

    Hi Bobbye!

    Thanks for replying so quickly. Originally, I had Avast on my system and once it was suggested that AVG8 or Avira was better I upgraded, and AVG8 starts to appear in the hijack log after my second run.

    Later I was told to install Avira, so I uninstalled AVG8 and Avira produced the AVScan log you were mentioning. The bulk of the report seems to me to be Avira running a self-scan of all its components of the program and within the 2nd section of this self-scan it indicates the configuration file used by Avira to run the anti-virus scan:

    I uploaded the log so I can get some advice on what should be deleted from the quarantine, in case it was a false positive. Aside from that, the previously detected infections have been deleted that were detected by AVG8.

    Since Avira Premium Security Suite caught what AVG8 missed, I'll keep Avira installed for the long haul. Just out of curiosity, Bobbye, what kind of setup do you have on your computer as far as software goes (ie. firewall, anti-spyware, anti-malware, anti-virus, anti-rootkit, etc...)

    I loved the interface of the AVG8 Internet Security Suite which was bundled with all the above mentioned protection, but the AVG8 anti-virus scan missed what Avira caught. I read that Avira's Premium Suite's main strength is its anti-virus and its other other components (firewall, spyware, etc.) was lacking in intelligent decision handling requiring constant intervention by the user while other similar programs handle these items automatically only involving the user on important decisions.

    Please let me know what you can suggest as a bundle of software or prepackaged solution to new infections!!

    Thanks again so much for your help!
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Okay, I see why I was uncertain about the AV. As for this, I think you may be surprised:
    1. I have Eset Nod32 antivirus.
    2. I am behind a router which has hardware firewall.
    3. I use the Windows firewall (software)
    4. I have Spywareblaster and Spybot Search & Destroy

    But the most important security practices for me are:
    1. I am VERY careful when I search. I spend half the day searching and only choose the sites I am familiar with or that I think are safe.
    2. I use the Firefox browser: Three of the add-ons are AdBlock Plus and the 3 Easy Lists. These keep the trash out. And Flashblock. Firefox won't even allow a redirect of a page on the same site!)
    3. I do not use Files Sharing sites. or programs.
    4. I do not click on pop-ups
    5. I do regular maintenance: I have to clean Cookies several times a day. I only keep History for 3 days, then delete it all.
    6. I am very rigid about accepting email- I need to know who sends it. I need to be expecting an attachment and know what it is for and even then I save it to my desktop and do a right click> scan with AV.
    7. The ONLY processes I have starting up are the AV, touchpad for laptop and network process.

    It's a multi-layered practice. My ISP does a good job of keeping a lot of trash out of the network also. I prefer stand alone programs rather that a suite. They use less resources and if there is a problem, I know 'which' part to look in.

    I had AVG v7.5, paid, for a year. But didn't renew when v8 came out. One reason was the bundled spyware program. And I am now seeing multiple reports with getting updates. I do scan with Hijack This and Malwarebytes occasionally just to make sure something didn't get in. But I don't leave them running.

    One GOOD, reliable antivirus program. We've been suggesting Avast or Avira, both free.
    One GOOD firewall. I encourage using a router even if you don't have another computer to network. That will provide a hardware firewall. If getting third party firewall, get one that is bi-directional- that is, it listens at both incoming AND outgoing ports. The Windows firewall doesn't do that. We recommend Comodo or ZoneAlarm, both free.
    Two or more GOOD spyware/adware programs- a combination of preventative and 'find and fix'.
  21. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    like to confirm Bobby's post: My practice and setup is almost identical :)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...