Author Topic: How can I get rid of this thing?  (Read 10373 times)

0 Members and 1 Guest are viewing this topic.

metacom

  • Guest
How can I get rid of this thing?
« on: October 21, 2010, 10:14:01 PM »
So, my computer got infected yesterday.  I'm not sure how, but it did.  Every few minutes avast would warn me that a threat was detected (with the process in svchost), and whenever I would do a google search it would tell me a threat was detected (with the process in firefox.exe).  This worried me, and I like to take extreme actions when I'm worried, so I ran a boot time scan.  3 threats were found (Win32:Alureon-JE (which I can not find anything about, though I can find information on Win32:Alureon-EJ which would explain my google warnings), Java:Agent-P, and Java:Djewers-S).  I moved all of these to the chest and figured I was good.  But as I browsed the internet, I realized the same warnings were popping up.  I decided to run a full system scan, and 15 minutes into it started a quick scan.  The quick scan ended first, obviously, and found 4 threats (Win32:Rootkit-gen, Win32:Oficla-AH, Win32:Oficla-AH (yes, twice, apparently), and JS:Downloader-AGK).  I tried to delete all of them, but only the first three were successfully deleted.  I then tried to move the last on to the chest, but it failed, with the message "Error: The system cannot find the file specified (2)".  That scan took 37:58, if that means anything at all.

Not long after, the full scan ended.  It took 1:21:53.  It found the same 4 files, three of which I had already deleted and thus when I tried to take action with them, they couldn't be found.  This is no surprise. The fourth did the same thing as before, i.e, nothing, which bothers me.

Curious, I did a google search, and sure enough, Avast warned me that a threat was detected.  So I ran one more quick scan.  This one was much much faster (only 5:48!), and it found only one infection--the same one that it can't seem to find when I want to fix it.  So...being not very computer savvy myself, I figured I'd ask for help here.  How can I kill this guy?

If you need more information, just ask.  According to my scan logs, the file name where the infection is located is as follows:

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KI9LY1L5\kwfsazksymcuazdv[1].htm

(Also, both firefox and internet explorer look aesthetically different than they did before.  I just upgraded firefox to 3.5.13 (I'll get 3.6 once this is dealt with), but I don't think that should change the appearance, and I haven't upgraded IE at all recently (I have version 7.0.6001.18000, apparently), so I don't know if the virus is screwing with things or if it's entirely unrelated.)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: How can I get rid of this thing?
« Reply #1 on: October 21, 2010, 10:58:08 PM »
start with this...

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click on the remove selected button to quarantine anything found
please post the scan log here

metacom

  • Guest
Re: How can I get rid of this thing?
« Reply #2 on: October 21, 2010, 11:15:44 PM »
Hm.  Well, I went to the site you linked to, downloaded the file (mbam-setup-1.46.exe), and tried to run it, but got an error.

"ShellExecuteEx; Code 1068.
The dependency service or group failed to start."

So...I guess I can't run that program?  That may be problematic.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: How can I get rid of this thing?
« Reply #3 on: October 21, 2010, 11:43:34 PM »
Ok lets try another one

Hitman Pro 3 - Second Opinion Malware Scanner (30 day free removal)
http://www.surfright.nl/en/hitmanpro

metacom

  • Guest
Re: How can I get rid of this thing?
« Reply #4 on: October 21, 2010, 11:50:04 PM »
Same error (slightly different message this time, but the main error, that "The dependency service or group failed to start", was the same).  I'm going to restart my computer real quick and see if I can try MBAM again.  I think, after googling for error 1068, that host processes stopped working, which is bad...but a restart should fix it for a short time, hopefully long enough for me to download the program.  I'll post again if it's successful, and hopefully I'll have a log for you to help me with.

Thanks for helping so far, by the way!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: How can I get rid of this thing?
« Reply #5 on: October 21, 2010, 11:51:43 PM »
try holding down left Ctrl button when clicking the Hitman icon

metacom

  • Guest
Re: How can I get rid of this thing?
« Reply #6 on: October 21, 2010, 11:57:43 PM »
Restarting worked, I now have downloaded Malwarebytes.  I'm running a quick scan now.  Would you prefer I did a full scan?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: How can I get rid of this thing?
« Reply #7 on: October 21, 2010, 11:59:48 PM »
quick is fine, 99% of what MBAM detects, it will do with a quick scan
« Last Edit: October 22, 2010, 12:01:43 AM by Pondus »

metacom

  • Guest
Re: How can I get rid of this thing?
« Reply #8 on: October 22, 2010, 12:09:53 AM »
Here's the log, it did find an infection and remove it.  Hopefully that fixes things.  It said I have to restart my computer, so I'll do that now.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4905

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

10/21/2010 6:08:40 PM
mbam-log-2010-10-21 (18-08-40).txt

Scan type: Quick scan
Objects scanned: 146391
Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Temp\180E.tmp (Trojan.Alureon.Gen) -> Quarantined and deleted successfully.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: How can I get rid of this thing?
« Reply #9 on: October 22, 2010, 12:15:02 AM »
hmmmmm.....only one bug   ;D  so avast! may have got it all, so how is the PC behaving now, problem gone ?

You may run Hitman also

metacom

  • Guest
Re: How can I get rid of this thing?
« Reply #10 on: October 22, 2010, 12:23:52 AM »
hmmmmm.....only one bug   ;D  so avast! may have got it all, so how is the PC behaving now, problem gone ?

You may run Hitman also

ugh.  I thought it was alright, when I restarted everything seemed fine and dandy.

So I tested by doing a google search, which formally caused Avast! to detect a threat...

This is the result.  :(

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: How can I get rid of this thing?
« Reply #11 on: October 22, 2010, 12:29:07 AM »

metacom

  • Guest
Re: How can I get rid of this thing?
« Reply #12 on: October 22, 2010, 12:31:52 AM »
Alright, it's running.  I'll let you know if it works.

Thanks again for all the help, I really appreciate it!

metacom

  • Guest
Re: How can I get rid of this thing?
« Reply #13 on: October 22, 2010, 12:36:30 AM »
I'm very happy to report that that seemed to work!  I just did a test google search and everything was fine!  Thanks a lot!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: How can I get rid of this thing?
« Reply #14 on: October 22, 2010, 12:40:03 AM »
phuuuuu...... ;D if it comes back then we call in Essexboy   

I have to find the bed now  ;)