Trojan problems

Status
Not open for further replies.
This last weekend I was searching on google, and started seeing pop-ups for my searches. I found this site and ran your suggestions (attached). I do not seem to have any more issues, but there could still be something there.

Any help would be much appreciated. Also, what can I do to keep my computer safe in the future? I had the generic Windows firewall, and Norton AV...

Edit: I guess I forgot my Avira scan.
 
1. Malwarebytes found some malware. However you didn't do this:
* Make sure that everything is checked, and click Remove Selected.

So the malware entries show: No Action Taken

Please update Malwarebytes and scan again, taking care to put in the checkmarks.

2. Superantiapyware has a similar feature. If you did not check the line there, UPDATE, scan again>
be sure to check the removal line.

3. You have entries for both Avira and Symantec security programs. Decide which you want to keep and uninstall the other. If you want to uninstall Symantec/Norton, use the Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

4. If your computer has not had a 'pre-load' cleaning', I suggest you give it one., Every manufacturer pre-loads a lot of 'junk' on a system. Most users don't realize it's there and/or don't use it. In your case, you have a lot of Acer entries that I suspect are in the junk realm. There are too many for me to list, but if you look through the HijackThis log, you'll see them all there, using valuable resources, slowing you down.

You have 13 entries for Acer loading at startup.

5. Please open HijackThis, and select Do a system scan only.

Place a checkmark next to the following entries (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
(See additionsl instructions at end re Ask Bar.)
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: PCM Media Sharing.lnk = C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe


Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

6. Start> Run> type in msconfig> enter> Selective Startup> Startup menu> UNCHECK the following:
AskBar and any Ask related entries
PCMMediaSharing
Then click on Apply> OK>
NOTE: when you reboot the first time after making change on startup menu, you will get a nag message. You can ignore and close it after checking 'don't show this message again.' Stay in Selective Startup.

Special consideration re: ActiveToolBand:
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
[*] If, in File Properties, file size is 292 kb and company "HiTRUST": : HiTrust browser plugin - part of Acer eDataSecurity Management software, it is a legitimate browser helper object.
[*] If, in File Properties, file size is 28 kb and company information is missing: parasite, detected as W32/Istbar.WL@dl, chack to have HijackThis remmove it
Special consideration: Ask Bar: this is at least a part of the pop-up problem. Please follow the instructions on this site to completely remove the AskBar:
http://coolbusteratyourservice.blogspot.com/2009/01/how-to-completely-remove-askbar-toolbar.html

I would like a better description of the kinds of pop-ups you're getting. They can indicate a particular type of malware.

7. Please download ComboFix HERE.

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.


Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

After completing the steps I have given, attach the new Malwarebytes log, rescan with HijackThis and include new log include the Combofix report.
 
1. I'm pretty sure, I remember removing them.

3. I uninstalled them with CC Cleaner, and I checked my programs to see if I still have any norton products. I see nothing.

4. I'm not quite sure what to do here, and don't know what pre-load stuff I should disable..if any.

6. I did not see anything. Possibly because I removed them in step 5?

Note: I have not gotten any pop-ups since starting this process. I would get a pop-up from my desktop for whatever I searched for in the browser. So if I typed 'ComboFix' I would recieve pop-ups about anti-virus applications, and Combo-Fix.

Attached are the logs. I did before and after if you want to see them....

I am going to work on removing that ask toolbar now.
 
Mbam 1: 5/19/2009 7:01:53 PM> Malware found, "No Action"
SAS: 05/20/2009 at 08:16 AM> 1 file had malware> removed
AVScan: 5/20/2009 10:09> clean
HJ 1: entries removed 5/21/2009
Mbam 2: 5/21/2009 5:04:10 PM> clean
ComboFix : 05/21/2009 15:32.1> removed some orphans
HJ 2: 5:05:04 PM, on 5/21/2009> Previous entries fixed, clean.

CCleaner run> unknown time.

You still have two Symantec entries. They are loading from the Registry on Startup: Please run the Norton Removal Tool as suggested. Entries are:
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001


This Service should be disabled:
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

You also have entries from:
ParetoLogic Anti-Virus PLUS> 5/15-17/2009>
c:\program files\Common Files\ParetoLogic
c:\programdata\ParetoLogic Anti-Virus PLUS
c:\users\All Users\ParetoLogic Anti-Virus PLUS
c:\programdata\ParetoLogic
c:\users\All Users\ParetoLogic


To uninstall the program from Window Vista:
1. Click Start and click Control Panel.
2. In the left pane, select Control Panel Home.
3. In the Program section, click Uninstall a Program.
4. Select ParetoLogic Anti-Virus PLUS and click the Uninstall button.

The use Windows Explorer> Programs> right click> delete the program folder.

You also have AVG file: 2009-05-15 15:53> c:\program files\AVG
Please uninstall. Delete program file using Windows Explorer

That should do it! If the original problem has been resolved:
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

When finished with everything, empty the Recycle Bin.

Then, as the saying goes, "you're good to go"! Let me now if you need more help.
 
These programs are not in my software list to uninstall programs. I did use windows to uninstall them. And, I did try to use the Norton, uninstaller, but it would not work... I do not see them in my program files either, lol.

Should I just run HJT to remove them?

And, what should I do to protect myself in the future? Am, I set to do that with Avira and Comodo?

Thank you so much!
 
We'll take the last part first: the basic security should be:
One antivirus program
One software firewall. A router can add security with a hardware firewall
Two or more spyware/adware programs:

From SWI Forum: please see http://www.spywareinfoforum.com/lofiversion/index.php/t49777.html
for all the links and directions:

Visit Windows Update often to patch Windows.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

    To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Also from SWI:
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

You didm't say what 'would not work' meant when you tried the Norton Removal.
Boot into Safe Mode:
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Start> Run> services.msc> double click on CLTNetCnService> change Startup type to Disabled> Stop the Service.

Now try an run the Norton Removal Tool.
Don't forget to empty the Recycle Bin.
 
Status
Not open for further replies.
Back