MSN virus/several trojans help?!?

[pandammonia]

I appreciate any help i can get with this one....
Was at my little brothers house today getting some files off his comp. He's on xp sp2 with all current updates and using firefox browser. When i opened up 'My Computer' there were about a dozen bizarre files just sitting there, not even a second later his AVG anti-virus kicked in, finding all these trojans (silly me forgot to grab names) located in different places, some in system restore, i moved all to 'vault'. Also a google window opens up , blank, and wont close unless you go through 'alt+ctrl+del'. He said he got it through one of the msn viruses, a link appeared in a message from one of his contacts and silly boy clicked on it. I plan on working through all this for him to get his system back up properly. However, i would rather install AVAST instead of AVG, preferably before doing anything else, as it's what i'm used to. So my 1st question throughout this no doubt ordeal is... Can i uninstall AVG anti-virus, while there are files in the vault, and just install AVAST? Should i just remove all files from vault 1st and just get rid of avg and let avast take care of it once i put that on?
Any help is greatly appreciated...

[Lisandro]

Can i uninstall AVG anti-virus, while there are files in the vault, and just install AVAST?

Well, you'll lose the files in Vault.
Plug an USB drive, right click the files in Vault and choose 'Restore File(s) as', moving them to the USB drive.
Hey, take care, they're infected. But just in case they were false positives or necessary files to boot.
Then, uninstall AVG, boot, install avast, boot.

Should i just remove all files from vault 1st and just get rid of avg and let avast take care of it once i put that on?

Only if you don't want to get rid from that files either...

[pandammonia]

Cheers.  I have tried asking on the AVG forum but they aren't as prompt as u guys, (or as friendly  ) and like i said, i'm familiar with avast and prefer it myself. But in this instance because they're mainly tojans and such should i just work with AVG until they're gone and then put avast on? Also am i right in thinking that mt first steps are:to run CCleaner, AdAware, Spybot, then Ewido, then anti-virus, reboot, run all again. Then once clean run in safe mode to be sure? I've heard this msn virus can be a doozy to remove though, will i need to do more?

[DavidR]

Cheers. I have tried asking on the AVG forum but they aren't as prompt as u guys, (or as friendly  Wink ) and like i said, i'm familiar with avast and prefer it myself.

You have now found another decision in your choice of AV, support and as You have found AVG is lacking in that department.

You will be fine with avast and no single security program is going to cut it nowadays, so you need anti-adware/spyware defence also to provide a multi application defence, ones that don't conflict is important and you seem to have that covered.

Running Ewido from safe mode is usually very effective at removal of malware that would otherwise be difficult to deal with. I'm not sure it is a good idea to stick with AVG until you deal with these trojans, 1) we don't use AVG so couldn't offer any productive help, 2) avast offers a boot-time function that isn't available to AVG. So I would suggest you follow Tech advice of backup the files in the vault. Note the original location of the files in the Vault so you can restore them if they later prove to be OK. Take care.

[Lisandro]

Cheers.  I have tried asking on the AVG forum but they aren't as prompt as u guys

For sure, AVG forum is far behind avast one. I can say by experience here and there.

But in this instance because they're mainly tojans and such should i just work with AVG until they're gone and then put avast on?

Better. Do a full AVG scanning, send the infected files to vault.
Uninstall AVG and install avast, running a boot time scanning after that.

Also am i right in thinking that mt first steps are:to run CCleaner, AdAware, Spybot, then Ewido, then anti-virus, reboot, run all again.

Ok.

Then once clean run in safe mode to be sure? I've heard this msn virus can be a doozy to remove though, will i need to do more?

Better an avast boot time scanning.

[pandammonia]

Thanks again Tech and DavidR. Hope to fix this thing in the next few days.  Have been investigating other peoples problems with this one and it seems Hijack This comes in quite handy. I've been studying up alot on how to use it and what everything means and such but i do realise it's still quite in depth and can cause some damage if used incorrectly, are you guys able to help with that if it has to go that far?

[essexboy]

Possibly although I am running one at the moment, However you could mosey over to http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html to get started

[DavidR]

Program & Tutorial - Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3

There are a number of people that can help with hijackthis log analysis, there are also on-line analysis sites that give reasonable advice, but nothing is ever 100%. They give indications of Nasty, Possibly Nasty, Unknown, etc, these are the ones that need further investigation (google search on file name, etc.) before committing to a fix.

On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2 The first of these also has a means of uploading the suspect files for AV scanning.

But you can also seek advice here there are other places that specialise in this advice (as essexboy mentions).

[pandammonia]

Cheers! A most helpful site. Will check out the others too. Will keep u posted on progress!
Thanks heaps guys. Honestly can't praise you enough for your help !

[pandammonia]

Hey guys! Hows it going? Got some updates on this for you...
Upon further inspection of his computer, i ran AVG anti-virus and it detected over 110 worms and trojans, in all manner of place scattered about his pc. Not having the time or the patience to sit and write details of each i just moved them all to chest. I then went to 'restore files as' to try and copy them in case something goes wrong, but i couldn't send them to D: drive to burn, so left in the chest. That was a week ago, and he said everything is running ok, so should i clean all files or just delete? I don't want to remove avg and install avast until system is clean.
Also there were several dodgy as processes running that i shut down prior to scanning.As i said, there were soo man6y trojans n stuff i didnt grab all names n stuff, but a few of the infected files look like such; c:\kybrdff_e54.exe ( as well as 50.exe, 47.exe, 41.exe, 40.exe ); c:\dfndrff_e54.exe ( and 51.exe, 50.exe, 47.exe, 44.exe, 43.exe) ; c:\\mte3nd160d6xgnew.exe; plus some in sys restore. Whenever you open 'My Computer' a blank google window pops up and the only way to close it is to go through alt+ctrl+del.
I then ran ccleaner, adaware, spybot s&d, and am yet to run ewido/avg, (after turning off system restore). One of these (cant remember which) detected smitfraud-c , amitfraud-c.Toolbar888, and coolwwwsearch among others.
As you can see his system is severely infected. He's had problems like this before and mum won't pay to get it fixed anymore, so i'm his only hope. And as i'm just starting out in this sort of stuff, you guys are my only hope!
So my main question here is, what to do now? Clean or delete files in avg chest? Should i just run hijackthis now, or are there any other steps i should follow first?
Is this even going to be possible to fix?
Eagerly awaiting your reply AND thanking you in advance.
Cheers.
(oh btw- i 4get what kind of puter he has, i know it's an acer, running winXP sp2, pretty sure he uses firefox/mozilla browser)

[Spiritsongs]

   Hi Pandammonia :

     Your brother's computer should have the guidance of "Malware Experts" that are usually
     found on antiSPYWARE Support forums. They are volunteers who are very experienced
     in dealing with an "infected" computer. I recommend the one at www.landzdown.com
     because they are little known, resulting in fast turnaround times.
     IF you have NOT already put the "HijackThis" program on your brother's computer,
      download HijackThis (© Merijn) from:  www.thespykiller.co.uk/files/HJTsetup.exe  .

Note: This is a complete installer that installs HijackThis to your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools.

At the download prompt, choose "Save". After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it to complete the installation.

[galooma]

It doesn`t matter how much energy you put in with AVG , you are still going to get some left on the system when its finished that Avast! will detect.
As soon as Avast! is installed you will be prompted to run a boot scan and this is where you will find and deal with the leftovers. Try to move as much to chest as you can but some may be delete only.
try to stay off the net until the system is clean and has a firewall and AV installed so have those programs loaded onto disks or flashdrive for easy access.
good luck and by all means post HJT log if you need any help

[pandammonia]

spiritsongz-
Yeah i know. Total of 133 items in his vault. Will check out landzdown, cheers. One question for u though... i have read on other forums that if HJT is installed in C:\ some trojans/viruses can hide from it, also if you label it HiJackThis this can happen?
Clossau- hey fellow aussie.! I know, AVG anti-virus blows big time. As i said earlier i want it off so i can work with avast!.
Got him to run ewido again- kept detecting same file,(c:\windows\system32\dxdlib303562752.dll) no matter how many times it was cleaned and sent to vault.Also "project1" has shown up under running programs, and whenever he logs on, a firefox window pops-up saying 'powerzip self extractor is extracting files. Please wait...'.
I have searched google and numerous forums for answers but am now so oerwhelmed with conflicting information i'm getting addled, befuddled, bemused, confused, cranky,and irritable.His system is a mess!
Would i be right in this method;
Restore all files from AVG vault to disk/flash.
Uninstall AVG, install AVAST!
Boot time scan.
Turn off system restore.
Run CCleaner.
Run in safe mode- adaware, spybot s&d, AVG anti-spyware (ewido).
Run HJT (should this be done in safe mode?)
Post log!

[FreewheelinFrank]

Hi Pandammonia,

I'm a little surprised that AVG is suddenly finding all this stuff: did he disable the anti-virus, I wonder, or did some malware disable it for him?

If you want to use the tools at hand to clean the system, make sure you run scans in safe mode where possible:

http://www.pchell.com/support/safemode.shtml

Run a scan in safe mode with AVG and AVG anti-spyware and Spybot, and also Ad-Aware and a-Squared free if you don't have these already.

AVG have a rootkit scanner, which I'd recommend you run before all these scans:

http://www.freewarefiles.com/downloads_counter.php?programid=22524

If your brother is relying on the Windows firewall, the malware has probably brought it down: I'd recommend downloading a good third-party firewall like Zone Alarm of Kerio and installing that.

If you update all your programs, go off line and chugg through all the scans, install the firewall, come back on line and post a HijackThis! log, we can clean up anything remaining and you can uninstall AVG and install avast! if you want to.

As your brother has had similar problems in the past, it may be a good idea to make yourself the computer administrator and give him a limited user account with locked-down security. At the very least, you need to educate him about how he is getting infected. New viruses appear on MSN/Yahoo messenger hourly, and nothing is guaranteed to catch all of them, so if he doesn't learn some caution, he's going to undo all your good work in about five minutes once you let him loose again.

http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html

http://www.castlecops.com/article-6112-nested-0-0.html

http://www.castlecops.com/postlite7736-.html

[pandammonia]

Frank- Thanks for prompt reply.( Thats why i use avast forums rather than others, so quick on the ball).
I'm not too sure as to why AVG didn't catch it as it came in. It is possible he disabled it manually, he does stupid stuff like that. He just doesn't read things properly before he clicks.
Is a-squared the old name for AVG anti-spyware/ewido?
Will do the rootkit scan tomorrow and run all in safe mode. Do i do HJT in safe mode too?
Your advice re the administrator thing is something i didnt know. Will do that one once were clean.