Just want to be sure my PC's not infected anymore

Status
Not open for further replies.

kaelzeph

Posts: 7   +0
I was infected by the Win32/Heur virus/trojan and my Avira went nuts, all my .exe files were either removed or triggered virus alerts every second. I installed AVG and it too went nuts. I already did Combofix and the preliminary removal. Other than my .exe files going haywire, my printer drivers were also affected so I uninstalled them but now every time I open My Computer or any Explorer window, it tries to install drivers for my printer again. Any other things that I should do?
 

Attachments

  • mbam-log-2009-03-13 (17-13-11).txt
    24.4 KB · Views: 7
  • hijackthis.log
    9 KB · Views: 6
Hi,
That is one big malwarebytes log.
You should re-scan with malwarebytes after updating to make sure.

Reading you Hijackthis log i see you have Utorrent and limewire. I will not carry on until this is removed. You will most probably get re infected whiles a cleaning process is taking place if it is kept. You must uninstall and re run Hijackthis before most users will help you.

Finally you have 2 antivirus AVG and Avira. It is not recommended to run both at the same time. You should remove AVG as this will speed up the system, decrease the chance of compatibility problems and Avira is the better of the two
 
I've removed utorrent and limewire... but I've got some issues with uninstalling my avira. The .exe files for that one were all corrupted and somehow got deleted. I try to install a fresh avira but it still recognizes my old avira installation and when I try to uninstall it and it says "your system will now reboot," it doesn't...
 
avatar62338_9.gif
Download and Run ComboFix

  • Download this file to your desktop from HERE
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Adding some assistance:
It appears that at some time you may have downloaded a program called Error Nuker. It is a rogue Registry cleaner. The exceptionally long Mbam log is due to entries found from that program:
(Rogue.ErrorNuker)
http://www.malwarebytes.org/malwarenet.php?name=Rogue.ErrorNuker
A description from a-squared Anti-Malware
Nom: Adware.Win32.Error Nuker 2005:
Error Nuker is a product by Trek Blue Software, the same makers of Spyware Nuker
Description: Error Nuker 2005 is a rogue security program that provides no protection against adware or spywares. It shows false warnings and false positives work as goad to purchase. It shows false reports of updating ref database.

Characteristics:
* Poor scan reporting.
* Shows false results and warning messages.
* Falsely reports updating ref database.

Installation: Installed through EXE
Processus: ErrorNuker.exe
Registry cleaner> license, readme.txt, logs
I am uncertain as to the actual status of all the entries the Mbam log show as quarantined and deleted, but any 'left' over files from this program should be searched out and deleted. You should also check in Add/Remove Programs and UNINSTALL if there.

Now let's get the multiple antivirus programs resolved:
First HijackThis log:
1. AVG:

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
O2 - BHO: AVG Security Toolbar
O4 - HKLM\..\Run: [AVG8_TRAY]
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

2. Avira: (installed over the top of AVG)
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe (file missing)
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe (file missing)
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe (file missing)
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE (file missing)
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe (file missing)
Second HijackThis log:
1. Avast:

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
2. Avira:
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe (file missing)
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe (file missing)
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe (file missing)
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE (file missing)
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe (file missing)
It appears that you thought Avast and Avira were the same program OR you just decided to add it to the soup! We need to get you down to ONE functioning, updates, corrected configured antivirus program. Sot his is what you need to do:
Decide which of the programs you want to keep: , Avast or Avira. I have grouped all of the entries for each to make it easier for you.
For the antivirus program that you do NOT want, follow this:
1. Boot into Safe Mode
2. Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK ALL entries belonging to the AV program you do NOT want to keep> Apply> OK.
3. Start> Run> services.msc> on EACH of the 023 entries above for the antivirus program you do NOT want to keep> right click on the Service> Properties> change the Startup type to Disabled> Stop the Service. (I only see 023 Services for Avira. IF they are loading at Startup because they are set to Automatically start on boot, that's why you can't uninstall it.)
4. Control Panel> Add/Remove Programs> find each entry for the antivirus program you do NOT want to keep> Click to highlight> Remove (uninstall)

5. Reboot the computer into Normal Mode. NOTE: the first time you reboot after making changes on Startup, you will get a nag message that you can ignore and close after checiong 'don't show this message again.' Stay in Selective Startup.
Once you have cleaned up the multiple AV programs, it is recommended that you update the AV you kept and run a full system scan. I saw a few other entries that should be removed, but I'll wait and see how they are handled for now.
 
I think the ErrorNuker was the one causing the Heur infection. I got that when my cousin inserted her USB Flash drive into my PC. I didn't notice it because the icon for the flash drive was not of a folder and my anti-virus that time (Avira) did not recognize.

I've done the instructions for the anti-virus I don't want. When I got to the part for uninstalling in the Add/Remove Programs, it said that Avira was already removed.

Here are the recent logs for ComboFix and HijackThis.

And there was one weird thing that happened when I booted into safe mode. There was another user called Administrator which shouldn't be there since my account is the admin account. And that account name does not appear in the Control Panel/User Accounts. It's also password protected.
 
Go to add remove programs and unistall XoftSpySE.

It was formerly listed as spyware and I would not recommend it.

http://spywarewarrior.com/rogue_anti-spyware.htm


To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
 
XoftSpySE was another one of those programs that got removed somewhat so I couldn't find it in my Add/Remove Programs list

Here's the Uninstall List from HJT.
 
COMBOFIX-Script



  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



    Code:
    Folder::
    C:\$AVG8.VAULT$
    c:\program files\XoftSpySE
    c:\program files\Kaspersky Lab
    c:\program files\Common Files\Kaspersky Lab
    c:\documents and settings\Antonio Navales\Application Data\uTorrent
    c:\documents and settings\Antonio Navales\Application Data\LimeWire
    c:\program files\Common Files\Symantec Shared


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.



    CFScript.gif



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
 
Here's the latest ComboFix log. I've already uninstalled Avira and ESET NOD32 but ComboFix still detects them. Would there be anyway to remove them?
 
I've already uninstalled Avira and ESET NOD32 but ComboFix still detects them. Would there be anyway to remove them?
(Nice job by the way , cleaning up the 'extra' AV programs)

FYI: The top section shows files created in the last 30 days,
2009-03-14 15:06 <DIR> d-------- c:\program files\Alwil Software
2009-03-12 21:42 . 2009-03-12 21:42 <DIR> d-------- c:\program files\Avira
2009-03-13 08:50 . 2009-03-13 19:38 <DIR> d-------- c:\program files\XoftSpySE
2009-02-21 19:06 . 2009-03-12 21:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

That's why you see 'Avira'.

Where are you seeing Nod? Did you mean another AV program? Nod wasn't on you list of multiple AV programs.

kritius, you might want to have him check these for possible removal and/or take off of Startup:

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
Magic Disc, also known as MagicISO (also referred to as MagicISO Maker) is a CD/DVD image shareware utility that can extract, edit, create, and burn disc image files. It is well known for its support and ability to convert between ISO and CUE/BIN and their proprietary UIF disc image format as well. Usually high resource user, doesn't have to be on startup

And check to see if programs are still installed. I see Services show as unknown/file missing in HijackThis log in Vista, do to a bug reading the files. But it's unusual in windows XP. Services might need to be Disabled and stopped.
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
--
 
Then it wasn't in the last 30 days, I did not see it in ComboFix. You need to settle down, find one AV program, configure it and be sure it updates. Why are you changing the AV so much?

I have Nod32- it's not a free program. It works very well and gives update notices without incident. Maybe your subscription to Nod wasn't current.
 
The Nod32 expired so I changed to Avira but that too was wrecked by the virus and it sort of went downhill from there...
 
Status
Not open for further replies.
Back