Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on August 26, 2014, 11:42:50 PM
-
So, I found out that the laptop a guy gave me for free had a bunch of viruses and malware on it. Soon after I found this out I installed MBAM and Avast! on the system to clean it all out. After all the scans were done, I pulled out the network card, booted back into the original OS and removed all folder sharing and the online access accounts the viruses had made. I thought I had cleared it all out with Avast! finding over 1800 files in the system32 along with others scattered throughout other common directories on the laptop and MBAM also finding a good amount of files. I thought everything was good until I found three files under my system32 directory with odd icons. When I scanned the files, they both came out clean by MBAM and Avast! but I still thought I'd upload them to virustotal.com just to see for sure. These are the results of he scan:
1. https://www.virustotal.com/en/file/b80e8636f9ab374c1a3b24133d4fcc2d30ee3ac6da9a16d0aa6f68310af5c871/analysis/1408748526/
2. https://www.virustotal.com/en/file/c449d2e0cea951ce465455d58fcf41f3a2a13d0df5e880666cd0a2275aadbb05/analysis/1408741398/
3. https://www.virustotal.com/en/file/c449d2e0cea951ce465455d58fcf41f3a2a13d0df5e880666cd0a2275aadbb05/analysis/1408740271/
I was rather concerned by what these files were so I renamed them so that they weren't executable anymore and attempted to move them to a safer directory. I successfully moved over opea.exe and wmdtc.exe but dvdpaly.exe execute itself after being moved and Avast! finally picked it up and deleted it. As far as I know, there is now way for me to recover that file and I hadn't even had a chance to extract the icon from it :P. I thought I would just tell you that these files weren't detected by Avast! or anything else I was using and thought you may want to know about them. If you need copies of them to add to your definitions, I still have opea.exe and wmdtc.exe. I don't think I could get dvdpaly.exe back for adding to the definitions, but if there it, I wouldn't mind being able to extract the icon from that too as I could add it to my collection of odd low-res icons I got from viruses that can't be detected my my AVs.
-
You can report undetected malware here: http://www.avast.com/contact-form.php
-
i recomend you attach a diagnostic log here and let the malware experts here take look inside
scroll down to Farbar Recovery Scan Tool https://forum.avast.com/index.php?topic=53253.0
follow instructions and attach logs here
-
i recomend you attach a diagnostic log here and let the malware experts here take look inside
scroll down to Farbar Recovery Scan Tool https://forum.avast.com/index.php?topic=53253.0
follow instructions and attach logs here
That's allot of applications that the thing says to install. Is it necessary to install all of them an run scans? If so, it would probably slow down my PC allot and I wouldn't be able to use it for a day or two as the scans take a long time to complete. I'm also worried about overheating. I'm using a laptop and it doesn't have very good cooling and when I did the Avast! and MBAM scans they each took over 4 hours each and I could only do one at a time because when it does the scan it uses 100% of my CPU power.
I just wanted to check if this was the only way to be sure that I'm not still infected because it's very time consuming and slow. I'd also like to point out that I am not currently booted into the infected OS as this is a tri-booted system. I installed this current copy of XP on a new partition not too long ago when I upgraded my HDD. I still have the original dual-booted installation of Windows 2000 and 95 on the first partition as I took a disk image of it before I installed the new HDD and wrote that image to a 20GB partition on the new disk. I installed XP on the second partition and only after that is when I was able to run the scans. All the infected files were on the Win 2000 side and not a single file was detected on my XP installation. Even the three files I listed were found in Windows 2000's system32, not Windows XP.
Does this mean if I still want help from here I would need to install every application listed and run scans with them?
-
Does this mean if I still want help from here I would need to install every application listed and run scans with them?
see my post above ..... only one tool ..... Farbar Recovery Scan Tool, and the log expert will remove the tool when he is done
a diagnostic log is the only way to see what is going on in your system
-
Does this mean if I still want help from here I would need to install every application listed and run scans with them?
see my post above ..... only one tool ..... Farbar Recovery Scan Tool, and the log expert will remove the tool when he is done
a diagnostic log is the only way to see what is going on in your system
Sorry, I misread that. I have now attached the two logs that you said I should add to my post.
-
You are a bit short on RAM you have Total physical RAM: 383.48 MB which even for XP is pushing it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
C:\xmplay
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
You are a bit short on RAM you have Total physical RAM: 383.48 MB which even for XP is pushing it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
C:\xmplay
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
What is this process actually doing? C:\xmplay is the location of xmplay, the music player that I always use on a regular basis. I have it installed on all my computers with Win32 OSes that have sound cards. I didn't even install it on here specifically, I copied it off my desktop a long while back and that's how I've copied it to all my systems. This is the exact copy I have on all my computers. If you're saying this is a infected file, that would mean that all my systems are infected, even my Windows 98 and 2 other XP computers. I did have it running while I was doing the scan so that's why you see it as a running process. I actually even have it running now as I type this message, so, is this going to damage the files in any way because I don't want to loose my 290 song playlist.
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
I haven't noticed any adds popping up on my system that would suggest that I have adware on it. Did you see something running that I didn't, because I haven't noticed anything on this OS that isn't normal. I'm pretty sure the infections are only on Windows 2000 on my other partition(C: is for Windows 2000 & 95 while XP in on D: ). I have noticed some adware on Windows 2000 though I will admit, and this is going to remove the stuff on that operating system even if I'm not booted into it at the moment and can't run it from within that environment specifically? I just want to make sure before I do anything else on here.
Also, by the way, thank you for pointing out in bold that I have 383.48MB of RAM. That was actually a upgrade that I recently did so that Firefox 30 would load faster. Before this upgrade, I was running only 200MB of RAM. This is more RAM than my other XP systems though, my desktop has 256MB and my other laptop does also. I am aware of all my system's hardware because I've done work on all of them and haven't taken a singe one of them to a repair shop before ever, I like to do all that stuff by myself instead. I'm basically just cleaning up the mess of viruses the previous owner left behind on that partition without knowing it.
-
No the reason for the removal is that the programme is running from C drive when everything else is on your D if you are happy with it then just leave it
AdwCleaner will also remove old orphan registry entries for adware, lack of popups do not mean they are not there
-
Well, I've done the scan with AdwCleaner and nothing of importance came up, just a JavaScript .js file and a uninstaller left over in my temp folder. I've attached the log below but I'm afraid that Windows 2000 still has a bunch of unwanted stuff on it that it didn't detect. It doesn't appear it checked any of the files for my other operating systems because IE6 is still full of unwanted toolbars and stuff on Windows 2000 left from the last owner.
Is there a way that I can clean Windows 2000 because I've kept Windows XP all clean and clear ever since I've installed it but I every time I check it's like the stuff on Windows 2000 just won't go away. Like I said, I think I've cleaned Windows 2000 off but can't be sure because none of the tools are looking specifically where the stuff is hiding in Windows 2000, and the location of where that is, I don't really know. It's like every time I think it's gone I notice something else that shouldn't be there like when I found opea.exe and dvdpaly.exe.
-
Have you wiped the drive where 2000 is installed. None of my tools look at dual boot systems they only operate in the active windows
-
Have you wiped the drive where 2000 is installed. None of my tools look at dual boot systems they only operate in the active windows
I haven't wiped the partition Windows 2000 is installed on because I don't have a Windows 2000 install disk. This is the only copy of 2000 I have and that's why I still have it instead of removing it and reinstalling.
-
If you boot into the 2000 you could try to run FRST from there although I am not sure if it still works on that OS
-
If you boot into the 2000 you could try to run FRST from there although I am not sure if it still works on that OS
In the latest version of FRST, Windows 2000 doesn't recognize it as a valid Win32 application :P. Do you by ay chance have a copy that is compatible with Windows 2000 that I could use just to see what's really going on in the background of the system when I boot into it and if there's anything suspicious going on? It would be greatly appreciated.
-
OK OTL is still 2000 compliant
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Select LOP and Purity
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Save both files as ANSI and attach to your next post
-
Thanks for that tool, I did the scan and have attached the two logs created. I think I've found a few more programs that I'll remove and reinstall like Adobe flash and the browsers and also the sound card driver, I guess one of the driver files got infected and were removed along with all the other bad processes that I removed with Avast!.
After you've looked through the log files, is there anything else you'd suggest I do?
-
Just curious, why do you have more then one OS installed?
-
You appear to have had Trojan.Win32.Delf on this system. I will remove what is evident. Also you appear to have Trend AV and AdAware
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
SRV - File not found [Auto | Stopped] -- C:\WINNT\system32\wsldoekd.exe -- (wsldoekd)
SRV - File not found [Auto | Stopped] -- C:\WINNT\system32\tdydowkc.exe -- (tdydowkc)
SRV - File not found [Auto | Stopped] -- C:\WINNT\system32\tdctxte.exe -- (tdctxte)
SRV - File not found [Auto | Stopped] -- C:\WINNT\system32\sobicyt.exe -- (sobicyt)
SRV - File not found [Auto | Stopped] -- C:\WINNT\system32\roytctm.exe -- (roytctm)
SRV - File not found [Auto | Stopped] -- C:\WINNT\system32\roxtctm.exe -- (roxtctm)
SRV - File not found [Auto | Stopped] -- C:\WINNT\system32\noytcyr.exe -- (noytcyr)
IE - HKU\S-1-5-21-839522115-789336058-1202660629-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2462013
IE - HKU\S-1-5-21-839522115-789336058-1202660629-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-839522115-789336058-1202660629-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy:8080
FF - prefs.js..network.proxy.ftp: "proxy"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "proxy"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "proxy"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "proxy"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "proxy"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..network.proxy.type: 0
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {F66FF50F-219A-4163-93C1-C2713A49CBEC} - No CLSID value found.
O3 - HKU\S-1-5-21-839522115-789336058-1202660629-1000\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O4 - HKU\S-1-5-21-839522115-789336058-1202660629-1000..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background File not found
:Commands
[resethosts]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Thanks for all the help so far essexboy, I ran the fix and restarted. I've included the log of the quick scan in this post. The fix appears to have done some stuff though, after I restarted I had sound again! I didn't even need to find and reinstall the drivers, it appears the application fixed them for me.
Does it look like I'll be able to safely have my network card installed without having any viruses downloading more files and that I'll be able to open the browsers without it launching anymore unwanted processes?
Just curious, why do you have more then one OS installed?
When I got the laptop it already had Windows 2000 and Windows 95 pre-installed on it and I didn't already have a copy of 2000 before this. I still wanted a semi-supported OS though so I used a disk imaging tool in WinPE to take a image of the drive before I installed the current one in it. I wrote the 2000/95 image to a 20GB partition on the new drive then installed XP on the other partition so I could run more modern applications while still being able to keep 2000 for occasional use.
-
do you have any need for Windows 2000 and Windows 95 ? ..... they belong on museum ;)
-
Looks good now, try the net and let me know how it behaves
-
I'll do that. Thanks!
do you have any need for Windows 2000 and Windows 95 ? ..... they belong on museum ;)
Actually, I do. Windows 95 is DOS-mode only and I use it for running games that require DOS like Comanche Maximum Overkill and I use 2000 for testing compatibility with the applications I create. I've had allot of people tell me that I should stop using old operating systems but it's what I have and it's fun to see what you can do with a operating next to no one uses today. I even made this post in Windows 98 on my desktop, the forum has great support for Firefox 2.0.0.20 :P
edit:
OK, I'm posting this from Windows 2000 and the browsers look all clean. The only thing I've really noticed that when sitting idle, even without having the network card plugged in task manager keeps charting frequent CPU spikes from 0-3% to 30-45% usage every 10 seconds or so. Is this just the system doing it's normal stuff or do you think it's a possible virus multiplying/infecting new files?
-
Difficult to say as I have never used 2000 Which file does taskmanager have using the cycles
-
I watched the processes window for a bit and noticed that whenever the spikes happened it was jqs.exe using that amount of power. Does that sound normal for that process?
-
That is Java quick start in Firefox, unless you need Java I would highly recommend uninstalling it, as the last version that supported 200 has not been updated for a while and is a gapping security hole