Avast WEBforum

Other => Viruses and worms => Topic started by: artisticmind on July 29, 2010, 01:14:07 AM

Title: Resolved: Can someone help me or try?
Post by: artisticmind on July 29, 2010, 01:14:07 AM
I’m hoping that someone can help me. The other night while browsing the message boards on DiaperSwappers.com (a sight for families that are cloth diapering) I picked up a virus. After the fact I find out that several other parents have picked up similar viruses there. I finally got Avast 5 (the free version) downloaded as well as Malwarebytes (version 1.46) and it got rid of the files. Then last night it came back after Avast said that it blocked the attack (this time I was on facebook looking at my wall). I picked up the rogue Antivir Solution Pro software crud along with something else that that redirects the links from my search queries to random spam pages. So far this has happened on both google and ask.com but I also use swagbucks search engine and have not had any redirecting from there yet.
Upon startup I get 2 Rundll error messages: “C:\WINDOWS\eqesabam.dll” and “:C\WINDOWS\otalibc.dll” I got “rid” of it again with both malware and avast but I’ve noticed since removing it the first time while browsing I get an error message report “Generic Host Process for Win32 Services” which when I click on the “Don’t Send Report” it causes my screen to flash and it goes from the blue Windows XP appearance on my Start button and task bar to a gray Windows 95 vintage appearance and then flashes back to the XP appearance. It also seems to disable my internet and I end up shutting down my computer and restarting it to get back on the internet.
I have a Gateway Netbook from Verizon with their internet connection, I’m using IE7 and as mentioned above am using both Avast 5 and malwarebytes. I understand some techie terms but not all and I’ve seen on other posts requests for posting logs and I have no ideas how where to find or create these logs to post them so I would need help with this. Can anyone help me get rid of this crud?!
Title: Re: Can someone help me or try?
Post by: Asyn on July 29, 2010, 01:31:25 AM
Run a boot time scan with avast..!
asyn
Title: Re: Can someone help me or try?
Post by: doc_up72 on July 29, 2010, 03:59:10 AM
Run your scans again but before you do be sure and update each program. Then turn off your system restore to delete any restore points and any reboot hacktools that may be hiding in the restore volume. This is typically the case when you get them clean and they come right back. After cleaning turn system restore back on and create a new restore point. You need real time protection. to help obviate a recurrence of the same. If you still can't rid yourself...then please post the name of the virus(es) that are picked up.
Good luck
Title: Re: Can someone help me or try?
Post by: artisticmind on July 29, 2010, 05:23:21 AM
i made sure both my avast and malwarebytes were updated this afternoon when i ran them. I also just ran the boot scan and that came up with nothing according to the logs. I turned off my system restore just a few minutes ago, do i need to re-run my scans now?
Title: Re: Can someone help me or try?
Post by: SafeSurf on July 29, 2010, 08:44:29 AM
Quote from: artisticmind on July 29, 2010, 05:23:21 AM
<snip> do i need to re-run my scans now?
Yes.
Update[/color] MBAM (malwarebytes) again and run a scan, but this time post your log here (copy and paste).  Prior to running the scan, make sure your Settings > General > Automatically Save File After Scan Completes is checked off.

If you still come up with problems, then we will have you run an OTL log, which we will give you directions on how to do this.

Are you up to date with your Windows Updates?

I noticed you are still using IE7.  You should update this to IE8 for better security.

What other security software do you have on your machine, including a firewall (including past AV and FW)?

Once you are clean, you should check to make sure all your applications and software are up to date with Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ (http://secunia.com/vulnerability_scanning/personal/).  Many of us use this since software is constantly changing.
Title: Re: Can someone help me or try?
Post by: artisticmind on July 29, 2010, 09:48:53 PM
okay i updated again and am running said scans again. here's some info i can provide to you while i wait for my hourlong MBAM to finish.

I'm running Avast! Free Antivirus Program version 5.0.594, Virus Definitions 100729-0 7/29/10 3:00:44AM
and MBAB Database Information 7/29/2010, Version 4367, Fingerprints 263591.

Per your advice I updated to IE8 this afternoon. now i'm just trying to figure out how to get rid of the worthless Bing stuff that came with the update. Can i mention i hate Bing?  ;D i've tried using it on my phone and it's a worthless pain in the rear and i end up going to google anyway...anyway back to the virus topic...

Firewall...umm, as far as i know i have one as per when i open my network connections window it shows that my connections are firewalled. If i go to start>accessories>system tools>security center it shows that my windows firewall is on. If I need a better one please recommend.

Windows Updates...again as far as i know i'm completely updated with those other than the IE8 which i'm now current with updates. when going to the system tools again it shows that my updates are on the "automatic" status for downloading and installing. I never have an icon in my system tray showing that updates are ready for installation so again i'm assuming that my computer is doing as specified and updating. I've tried going to microsoft to make sure that i'm updated and it appears that they've changed it from windows updates to microsoft updates and after accepting the request from active x to run the update it comes up with a window that it's not available to update. i can get the exact wording later. this happend both prior to updating to IE8 and afterwards.

I'll be back in a bit with the log as soon as MBAM is done

ETA: forgot to mention that this antivir solution pro crud came back this morning upon startup even before i was connected to the internet so i know this crud is lurking in my system somewhere. I probably should have mentioned this as well but the only way i can get in to get connected to my internet and get MBAM to run is to run an Rkill  that was created and posted by someone on bleepingcomputer.com it's the only way to get rid of the antivir icon from my system tray and to stop the popups and "warnings" saying that "blank" file is infected (including my VZAcess file and MBAM file) along with the assorted popups that flash up when the icon is active on my system tray.
Title: Re: Can someone help me or try?
Post by: artisticmind on July 29, 2010, 11:01:00 PM
okay here is the log from my full system MBAM scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4367

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/29/2010 3:48:40 PM
mbam-log-2010-07-29 (15-48-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 210445
Time elapsed: 1 hour(s), 23 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\SolutionAV (Trojan.FakeAV) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


my avast found 2 infected files:
name: exe.exe, original location: c:\windows\temp, virus: win32:rookit-gen[rkt]
name: index[1].htm, original location: c:docs & settings\networkservices\localsettings\temp int. files\content.IE5\v1v9d074 Virus: js:downloader-zw[trj]

since those are ran i'm going to delete my cookies, temp. int. files, history, and empty my recycle bin and turn my system restore back on. please correct me if i'm wrong and i'll turn it back off.
Title: Re: Can someone help me or try?
Post by: SafeSurf on July 30, 2010, 10:01:21 AM
Turn your system restore back on and run an Avast Boot-time scan (it will take a while to run).   Also make sure your Avast definitions are up to date (UTD).  Report back with results.

You do need a better firewall (FW) than the XP FW.  I suggest a third party FW.  Several have been suggested on the forum that work well with Avast:  Online_Armor; PC_Tools_FW_Plus (no AV or spyware); Comodo (without AV/D+); Outpost.

Suggestion for installs (like getting bing), do Custom installs or look very carefully for "toolbars" or adware being installed and make sure you do NOT install them as they only cause headaches and possible spyware.  I'm not saying in this situation it is a problem, but I'm sure you will be able to remove it at a later date once your problems are resolved; I believe you can change it to another site. 

Title: Re: Can someone help me or try?
Post by: artisticmind on July 31, 2010, 02:27:52 AM
okay ran boot scan this afternoon, no viruses, my database updated again so i'm just running a quick scan. Antivir hasn't come back again...yet. Still getting the rundll errors at start up as mentioned in the first post and i still have something rerouting my searches when i click on a link. Also after connecting to the internet via my VZAccess icon the first internet window i pull up from in Internet Explore icon freezes up since updating to IE8. never had that issue with IE7 even with the virus. I have to close it, it comes up with the box that program not responding and the option to end task which i have to click to get window to close and of course the lovely error report option. Once my browsing session is open i get one spam popup window almost immediately and then another one or two throughout an internet session, so maybe 3 an hour. One of the favorite ones that likes to come up is porno.com---real lovely when you have small children in the room, and a couple that i think are shopping sites. I'm not sure as to what they are because as soon as the new window opens i click the close button in case they are carrying something that my computer doesn't need. Any ideas? I'll get a new firewall up tonight that you recommended.
Title: Re: Can someone help me or try?
Post by: SafeSurf on July 31, 2010, 08:05:34 AM
You'll need to run an OTL Log.  Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0).  Follow the directions of obtaining an OTL log and you can post the OTL log as an attachment (Additional Options in the bottom left corner under the message screen when posting).  I will refer you to one of our malware experts named Essexboy for further assistance and he will be contacting you after you post your OTL log.
Title: Re: Can someone help me or try?
Post by: artisticmind on August 01, 2010, 12:07:52 AM
okay, here's my logs. Thanks!
Title: Re: Can someone help me or try?
Post by: SafeSurf on August 01, 2010, 07:26:09 AM
Nice logs with some problems, esp. with IE.   Do you or did you at some point have a variety of antivirus software like Norton Internet Security, McAfee, CA, Kaspersky, Panda, Sophos, Trend,  Ahnalba?  Do you or did you at some point have a variety of firewalls like McAfee, Panda, Symantec/Norton, Tiny, Trend, ZoneLabs? 

Essexboy will review the logs, since he is the expert and contact you with further instructions.

In the meantime, I want you to:
1. Update Avast and scan, and update MBAM and do another scan for possible disinfection.  If anything shows up as positive, please post the infection results.

2. Download CCleaner http://www.piriform.com/ccleaner (http://www.piriform.com/ccleaner) is a freeware system optimization, privacy and cleaning tool.  It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space.  It also cleans traces of your online activities such as your Internet history.  Additionally it contains a fully featured registry cleaner.  Remember when installing to uncheck the Yahoo toolbar.  Don't use the Registry cleaner until your problems are fixed by Essexboy. 

You're system needs a lot of cleaning up and updating of software.  Once everything is fixed, you should download the free Secunia Software Inspector to keep your software up to date http://secunia.com/vulnerability_scanning/personal/ (http://secunia.com/vulnerability_scanning/personal/) and use it weekly/biweekly.



Title: Re: Can someone help me or try?
Post by: SafeSurf on August 01, 2010, 07:30:02 AM
I noticed one more thing that I need you to check.  Please go to Control Panel > Add/Remove Programs > check to make sure you have the following listed:

               "Microsoft Visual C++ 2008 Redistributable Package"

You may also have the year 2005 listed as well, but should definitely have 2008 listed.  Let me know what versions you have listed.  Thank you.
Title: Re: Can someone help me or try?
Post by: artisticmind on August 02, 2010, 04:34:57 AM
Regarding the firewalls/antivirus tools no I've never tried installing anything in this machine prior to the infection, i was naive, what can i say LOL. When the infection hit i tried downloading the AVG Free by Grisoft but the virus wouldn't let that happend even after i downloaded the program to a usb flash drive on another computer and tried to install it. No other firewalls to my knowledge. It possible if i go back through my paperwork there was a trial of norton or something that came with the netbook that i never activated, not a fan of norton or mcafee, i always had good luck with AVG on my old dell. No spyware programs or anything like that, should just be the avast! and MBAM. I will get my scans run tonight and report back. I did check that software, I only see the 2008 version on the Add/Remove programs tool. As for the one program you told me to download does it give me an option not to run the registry cleaner or download it and wait to run the entire thing until essexboy has looked at it?
Title: Re: Can someone help me or try?
Post by: SafeSurf on August 02, 2010, 09:31:58 AM
@ Nariamathstes,

Please start a New Topic of your own as this will just confuse the current thread and we will help you there. 

Go to this link,  http://forum.avast.com/index.php (http://forum.avast.com/index.php), scroll down to the Avast Free/Pro/Suite or the General Topic forum and click it, click the New Topic button at the top of the list and post there.  It is inappropriate to post here.
Title: Re: Can someone help me or try?
Post by: SafeSurf on August 02, 2010, 09:47:54 AM
Quote from: artisticmind on August 02, 2010, 04:34:57 AM
As for the one program you told me to download does it give me an option not to run the registry cleaner or download it and wait to run the entire thing until essexboy has looked at it?
You can download it and use the "Cleaner" button; don't use the "Registry" button until Essexboy works with you.  But if you are finding that you having a hard time downloading and installing things while you are having this malware problem, wait until Essexboy works with you.

Re: the use of the usb flash drive, I would not use that again unless Essexboy says it's OK.  You had malware that was found by MBAM, it is possible for that malware to have also gotten into the flash drive as well after you used it from the other machine into this one.  So for now, isolate the stick and don't use it.

Essexboy...she's ready for you.  See OTL logs on page 1.  Thanks.
Title: Re: Can someone help me or try?
Post by: DavidR on August 02, 2010, 04:12:38 PM
Quote from: SafeSurf on August 02, 2010, 09:31:58 AM
@ Nariamathstes,
Please start a New Topic of your own as this will just confuse the current thread and we will help you there. 
<snip>

I believe you have just responded to a spammer posting for the first time in a totally unrelated topic, the Afganistan flag doesn't relate to their location and email address is listed in a spammers listing.
Title: Re: Can someone help me or try?
Post by: SafeSurf on August 03, 2010, 12:41:49 AM
@ DavidR.

I realized that after the fact and reported him...bye, bye.  ;D
Title: Re: Can someone help me or try?
Post by: artisticmind on August 03, 2010, 05:00:45 AM
My avast! full system scan picked up a virus today, "HTML:Downloader-F" a trojan. MBAM has not picked up anything and both systems are updated.

ETA: i did get the CCleaner downloaded and installed. I guess i'm confused on what it should actually be "deleting." I did the "analyze" search first and it pulled up a bunch of my word documents for school but i think it's just the links where I had to post them to an online site for online classes. It won't actually touch the documents themselves, will it?
Title: Re: Can someone help me or try?
Post by: DavidR on August 03, 2010, 05:42:43 AM
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

If it was moved to the chest (a protected area), which presumably is the action you took then MBAM wouldn't find anything.
Title: Re: Can someone help me or try?
Post by: mkis on August 03, 2010, 07:41:17 AM
Hi artisticmind

Firstly follow DavidR's advise and see if we can identify the infection so to get some idea of what is the current state of play with malware threat. This will give us a bit of time to assess the next course of action. In the meantime what follows is an optional course of action, which you could undertake - or perhaps consider while other forum members might like to contribute second opinion on the situation.

If you want we can tidy up a bit to make things easier for removal work that may need to be done later. It would appear that the virus  on yr system was originally identified as follows - and some of the removal work has since been underway, initially by Malwarebytes --

Malware by name exe.exe  - http://www.threatexpert.com/report.aspx?md5=dbd276f428069d37532f9697eb864ca9

1. You should run Norton /Symantec uninstaller tool(s) just so avast has a bit more freedom to perform to its best without false positives
- you had Norton Internet Security 2009, plus a Symantec Endpoint Protection product, I guess as trial that you did not activate
- so I dont think it would hurt to run the uninstaller tool(s)

Quote
It possible if i go back through my paperwork there was a trial of norton or something that came with the netbook that i never activated, not a fan of norton...
Here is the trace in yr OTL log --

= Win32 Services (Safelist) =
SRV - File not found [Auto | Stopped] -- C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe -- (Norton Internet Security)

= Driver Services (SafeList) =
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\NIS\1000000.07D\SRTSPX.SYS -- (SRTSPX)
DRV - File not found [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\NIS\1000000.07D\SRTSP.SYS -- (SRTSP)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS -- (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS -- (NAVENG)

To sort these out, go to this page http://uninstallers.blogspot.com and download both Norton / Symantec uninstaller tools.
Or (a bit harder) Symantec product - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007080209280848?Open&seg=ent
(Likewise) http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US

You will be wanting to boot into Safe Mode and run these uninstaller tools, but before you do that you can download HijackThis as well (if not done so already) so that you can also run an overview scan while you are in Safe Mode and do a bit of tidying up in preparation for any more serious removal work that needs to be done. Ultimately, you can run OTL again and just see how much damage still remains on yr system.


2. When you run the HijackThis scan, there are the entries you will look to fix. Click here – (will take direct to HjT download)
http://www.filehippo.com/download_hijackthis/download/8571e06e5eb8ab03c649f3b5d647c599/

Run in Safe Mode. To fix an entry put a check in the box next to the entry and then click Fix checked tab down left corner of screen
Or you can post the log to the forum first, before taking action, if that is what you prefer

Fix the following --

O4 - HKLM..\Run: [Psurogaje] C:\WINDOWS\eqesabam.DLL File not found
O4 - HKCU..\Run: [Predujehoko] C:\WINDOWS\otalibc.DLL File not found

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

The Java program on yr system looks a bit mess about - may pay to check for any damaged entries in Downloaded Program Files
Start -> Control Panel -> Internet Options -> General -> (Browsing history) Settings -> Objects, and check for anything with (damaged)
Reply post if any damage

Back to Java entries in HjT - this Plug-in is out of date
O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)
and this Plug-in is a double entry
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
this Plug-in is a good entry
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

However java has only now just been updated
- rather than use Fix checked just now, may pay to uninstall all existing java and re-install latest version (can do now or later)

Likewise some mess about with Adobe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
Check what you have for Adobe in Control Panel - would not hurt to uninstall all existing, then go to Adobe download page  http://www.adobe.com/downloads/ (http://www.adobe.com/downloads/)  and only install Flash Player and Shockwave, for the time being while the malware issues are being attended to (And as with Java, dont have to do this now if dont want - can do now or later)

3. Run the OTL scan again to bring us up to date.
Title: Re: Can someone help me or try?
Post by: SafeSurf on August 03, 2010, 09:02:10 AM
artisticmind,

I had PM'd Essexboy a while ago, and just PM'd him again.  I believe he was away when I first PM'd him, but he should be contacting you shortly.  In the meantime, follow the instructions given to you above.  Thanks.
Title: Re: Can someone help me or try?
Post by: essexboy on August 03, 2010, 09:06:08 PM
Here I be  ;D sorry for the delay
Quote
One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


Once this fix has run could you let me know what your current problems are please

Run OTL
Code: [Select]
:OTL
SRV - File not found [Auto | Stopped] -- C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe -- (Norton Internet Security)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS -- (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS -- (NAVENG)
O4 - HKLM..\Run: [Psurogaje] C:\WINDOWS\eqesabam.DLL File not found
O4 - HKCU..\Run: [Predujehoko] C:\WINDOWS\otalibc.DLL File not found
[2010/07/28 23:02:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\gntjpgixe
[2010/07/23 21:26:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ansara\Local Settings\Application Data\xbfgeluhk
[2010/07/25 14:25:46 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Eferewohi.dat
[2010/07/25 12:07:24 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Gkijozececisuwa.bin

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
Title: Re: Can someone help me or try?
Post by: artisticmind on August 03, 2010, 09:51:48 PM
DavidR~ the virus was found in C:\docs and settings\networkservice\localsettings\temp int. files\content.ie5\qx9bxrpo\exemple[1].htm

i'm going to print the above instructions and work on getting that stuff accomplished for you and i'll report back later...hopefully i can get most of it done during my little one's nap time  ;D

ETA: i deleted my cookies and temp internet files last night as well, i've been doing that about every 3 days if that helps for your research purposes.

and this is a dumb question, how do i set the correct time on this forum? i've went into my profile and can not see any tools to set the time in there. this form shows my current time as 8pm when it's acutally 3pm
Title: Re: Can someone help me or try?
Post by: DavidR on August 03, 2010, 10:40:06 PM
I'm not sure if you can change that but it comes under the Look and Layout Preferences section of the Profile.

There are restrictions on what you are allowed to change in your profile (after you have registered) until you have 20 posts.

- The problem comes from drive by spammers, who having registered put objectionable or commercial links in their profile signature to try and gain link promotion, etc.

There have also been cases of the PM function being abused to spam forum members, so you will notice that you can't use the PM function either.

Unfortunately because of the actions of others legitimate members suffer by the actions to prevent this spamming.

I see essexboy is back and he is targeting the areas that I was asking about.
Title: Re: Can someone help me or try?
Post by: artisticmind on August 03, 2010, 11:20:38 PM
Quote from: mkis on August 03, 2010, 07:41:17 AM
1. You should run Norton /Symantec uninstaller tool(s) just so avast has a bit more freedom to perform to its best without false positives

To sort these out, go to this page http://uninstallers.blogspot.com and download both Norton / Symantec uninstaller tools.

okay that site has tools for norton/symantec, a corporate norton/symantech which i know i don't need, and a symantec active x tool. i need both the regular norton and the symantec active x uninstall tools, correct?

Thanks david regarding the time. not a big issue just a little on the annoying side, i'll live with it LOL
Title: Re: Can someone help me or try?
Post by: mkis on August 03, 2010, 11:44:10 PM
Thats okay, just run OTL with the script and direction that essexboy has provided above.

the next scan / log should show that the issue has been sorted.
Title: Re: Can someone help me or try?
Post by: artisticmind on August 04, 2010, 01:00:24 AM
logs are attatched.

the rundll errors went away, Thanks! the popup window that i get after opening my IE seems to have went away, usually comes up within 30seconds or so of opening it. The only thing that i can see remains is my searches from google are being redirected. Example i searched for cars.com, came up with a match for cars.com and clicked on it and this is the link i'm redirected to "affordableendo.com/result.php?Keywords=cars.com&r=494934328b7147af81b885c683737a4d368ac647123151aa40218ca5b889724bbb344f15e838afab84ec5d59af55e081&Submit=Go" with an http:// on the front of it.

I've went to my add/remove programs list and removed all adobe items. I have "acrobat.com" listed in my program list, do i need to remove that as well? I've also removed the java update 6 from my program list but have a JSRE upate 5 (or something similar to that- it has the little "java" cup icon on it) do i need to take that out as well?
Title: Re: Can someone help me or try?
Post by: artisticmind on August 04, 2010, 03:39:18 AM
okay i lied, the pop up came up this time after i connected to the internet, some random spam full page popup. the only other thing i have yet to see is the Win32 error message report that i mentioned in my first post. It *usually* comes up about 45mins to an hour after i've connected to the 'net and once it comes up it breaks my internet connection and i have to shut down my VZAccess connection and window and restart my internet.
Title: Re: Can someone help me or try?
Post by: mkis on August 04, 2010, 06:55:21 AM
Okay this is better. I'm going to leave this for the moment in case essexboy wants to post comments.

The only thing is the log files you have attached - could you run a standard OTL scan as you did very first time and attach the logs please.
The desktop is still a bit cluttered but dont worry too about that right now. Best post OTL logs first.

Also could you tell us a bit about yr network service as it appears to me that you have Java, Sun, Adobe active on network.

Are you able to work the computer with only small irritations, no major problems?
Title: Re: Can someone help me or try?
Post by: SafeSurf on August 04, 2010, 07:14:33 AM
Essexboy is back and notified me that he will be taking over to assist artisticmind in her malware removal. 

Thank you everyone for your assistance.
Title: Re: Can someone help me or try?
Post by: essexboy on August 04, 2010, 07:50:54 PM
Do the popups occur in IE - FF or both ?


Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: Can someone help me or try?
Post by: artisticmind on August 04, 2010, 11:22:28 PM
essexboy, I disabled my avast!, i've got combofix installed, it loaded the recovery console, and then went into scan mode, i can see the little cursor blinking but for 45 minutes the program has not moved? do i need to stop the scan and restart it or leave it be?
Title: Re: Can someone help me or try?
Post by: essexboy on August 04, 2010, 11:24:59 PM
Give it another 5 minutes or so and then stop it, reboot and look for the log at C:\combofix.txt
Title: Re: Can someone help me or try?
Post by: artisticmind on August 05, 2010, 02:09:22 AM
here's my log. first time around it didn't go past the "scan should take 10 minutes" warning, second time around it came up with a "stage 1 completed, stage 2 completed, etc" note in the window it was running in. Sorry it took so long.

my avast! came up with another virus after updating this afternoon and it was moved to the chest, another HTML: Downloader-F [TRJ] in the C:\docs. & settings\networkservice\localsettings\temp. int. files\content.IE5\gzvns1ai\exemple[1].htm


not sure if you needed that
Title: Re: Can someone help me or try?
Post by: essexboy on August 05, 2010, 09:17:05 PM
They are in your temporary internet files, do you get the warning when you visit a specific site ? 

1. Please open Notepad2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\glnsdsayh

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Title: Re: Can someone help me or try?
Post by: artisticmind on August 05, 2010, 10:21:38 PM
I get the notices for "malicious url blocked" all over the place it seems like, facebook (which doesn't surprise me one bit), an online newpaper and column, and a couple of message boards. I never get a notice that says "you're infected" but it just shows up in my avast! scans even though i've been regularly dumping my temp. internet files.

here is the new combofix log

not sure what OTL log you want, just open it and click scan or go back and copy the code from the 2nd page of this thread and run a new OTL?

also, can i go ahead and delete the old logs i've posted? i've been saving them to my desktop so i can easily find them for posting but i'm getting quite a few log files on my desktop now LOL. i'll leave them if you think you may still need them.
Title: Re: Can someone help me or try?
Post by: essexboy on August 05, 2010, 10:42:47 PM
Swag_Bucks did you install this toolbar ?

Yes, you can delete the old logs, although I do tidy up after myself  ;D

Just re-run OTL but without the custom scans - ensure that all users is checked though

Do you use a router to connect to the internet ?

Title: Re: Can someone help me or try?
Post by: artisticmind on August 05, 2010, 11:33:00 PM
the swagbucks tool bar is an add-in that i downloaded for a search engine that i use (way prior to this infection) and funny thing is it's the only search engine i've tried so far that my searches haven't been redirected. I haven't tried google yet today so if you fixed something, i haven't tried it yet  :-\

I have a Gateway Netbook that we purchased through Verizon Wireless, our cellular provider. It has a built-in wireless internet card and wi-fi capabilities. My dad does have a Lynksys router in the house but it currently has no inbound internet connections if that makes sense. it's a desktop computer in the spare office that the router is plugged into but that computer doesn't have internet connection. I know on my network connections page a Lynksys connection comes up and I have been able to connect to the internet through it instead of going in and making a connection through the program from Verizon.

here's that log-
Title: Re: Can someone help me or try?
Post by: essexboy on August 05, 2010, 11:46:26 PM
There is nothing left that is evident, so I would like to run a standalone AV

 Please, download Kaspersky AVP Tool[/color] from one of these two links:
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
http://dnl-us6.kaspersky-labs.com/devbuilds/AVPTool/

Save it in your desktop.

Double-click the file and follow the prompts. Once it finishes, open the folder Virus Removal Tool. It will be created in the same directory where you saved the setup file.

To run the tool, just double-click its shortcut (http://i286.photobucket.com/albums/ll83/mcristinna/KRT_lnk.png)

Make sure these options are checked:

  • Computer
  • Local Disk (C:)
    • [/b]
Also mark all the disks/removable drives that would/will appear under Local Disk, if exist. 

Hit the Start button to begin the scan.

Be patient, it will take a while.

When the scan is complete, if it finds something it will ask you what to do. Click in Skip (we only want the log).

Obs: Maybe you may have to click in Skip several times if the tool finds multiple files, so be patient.

While running the scan, the button  Scan will change to a red icon.

When the scan is complete, the button will change back to a green icon.

Click in Report button.

Then click the plus sign + next the last Autoscan from the list (the most recent), to expand it:

(http://i286.photobucket.com/albums/ll83/mcristinna/SaveReport.png)

Click one time in Task Started[/color] to select it, hold the shift key and click in Task Completed[/color] to select this range.

Right-click in this selection, the click in Copy

Open Notepad, then go to menu Edit > paste

Name it as log.txt and save it in your desktop.

Copy all its contents and paste your next reply.

After that, if you want to uninstall the tool:

Close all open windows and save all that you want.
Go to the folder Virus Removal Tool and run the file unins000.exe
Follow the prompts.

Your computer will be rebooted.
Title: Re: Can someone help me or try?
Post by: artisticmind on August 07, 2010, 12:50:42 AM
ha! you weren't kidding when you said it would take a while- 2.5 hours  :o i didn't get a chance to run it until this afternoon. Log is attached. I haven't noticed anything popping up or being alerted of anything by avast! so maybe it's gone for the most part, stuff did come up on the kaspersky scan but i don't know if it's new stuff or duplicate or stuff that was hiding. I did try google last night and it worked like it should. Thank you sooooo much!
Title: Re: Can someone help me or try?
Post by: essexboy on August 07, 2010, 06:37:19 PM
That just detected the TDSS that we removed

I saw that you skipped some Java scripts, do you know what they are ?

Looking at that I am a happy bunny  :)

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL
Code: [Select]
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
SPRING CLEAN
 
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave:
Title: Re: Can someone help me or try?
Post by: artisticmind on August 07, 2010, 10:34:19 PM
okie dokie i will follow the instructions above. re: the JSRE in my add/remove programs list i have a JSRE 5. do i need to remove that prior to downloading/updating to JSRE6? Also a previous helper suggested that i completely reload my adobe I've uninstalled all that i can see in my programs list in the add/remove programs tool however I still have a listing for acrobat, do i need to remove that or should it be okay?
Thank You again soooo much!
Title: Re: Can someone help me or try?
Post by: essexboy on August 08, 2010, 12:30:08 AM
Hi, yes delete all Java versions, are you replacing Adobe with Foxit reader ?
Title: Re: Can someone help me or try?
Post by: artisticmind on August 10, 2010, 09:12:15 PM
have been running with no problems that i can tell. avast! is running and yesterday it found this something in this locations- "C:\SystemVolumeInformation\_restore{563B71FD-59f2-44f2-86E6-017A84708862}\RP11\A0004718.sys" name:Win32:Alueron-FZ i moved it to the chest and can't see anything that it did but who knows. other than that no issues, my database just updated so i'm running another scan as we speak. I did get Adobe reinstalled, working on java as we speak now too. Hubby shut the computer off the other night and closed out my installation  ::)
Title: Re: Can someone help me or try?
Post by: essexboy on August 10, 2010, 09:28:04 PM
That is in the system restore - I must admit I thought I had cleared them

Step by step instructions here http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Title: Re: Can someone help me or try?
Post by: artisticmind on August 18, 2010, 06:16:59 AM
Sorry I forgot to pop in here and update. Deleted the system restore points and reactivated it and have been clean since! Thank you, thank you, thank you!
Title: Re: Can someone help me or try?
Post by: essexboy on August 18, 2010, 12:49:55 PM
Glad to be of assistance
Title: [RESOLVED] Re: Can someone help me or try?
Post by: SafeSurf on August 19, 2010, 11:18:21 AM
@ artisticmind,

I am glad things are finally working out for you.

Once you feel that your issue is resolved/fixed, please go back to the open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.  Thank you.

@ Essexboy, thank you again for the wonderful work you provide to our users here in the forum!  It is very much appreciated.  :)