Author Topic: malware contamination, help!  (Read 6806 times)

0 Members and 1 Guest are viewing this topic.

egr

  • Guest
malware contamination, help!
« on: August 14, 2008, 08:23:05 PM »
i posted this in another topic:

i am not really too technical so i hope you understand my problems if i explain it as well as i can...

i have a windows sp2 on a 512 mb ram 1.8 gHz AMD sempron processor computer, with about 80% of the hard used. (it's a small 80 gb hard and yes i know i could do way better, i just haven't and can't afford any upgrades soon).
the AV is the avast home edition 4.8 and i also use windows firewall. i didn't install anything more since i am not sure what is good and what is not.

i've been having problems since saturday, the 9th (updates are automatic so i've no idea if there was a program update then or not).

problems are:

first, i had a "powerscan antivirus" popup unrequested on my firefox browser (which crashed immediately). since i've had a bad history with unrequested AV popups, i ran a scan on my c: and all it found were ALL the alwil software files (namely all avast files) that were infected with a trojan. at that point i got really scared, uninstalled avast, redownloaded, re-installed, updated the virus database and ran two scans.
one in safe-mode, after installing the AV - it found only one infected file - not an .exe file - (a trojan, it said) in the d: partition system restore files.
i am not sure if i did well but i disabled the system restore hoping to delete all files, then re-enabled SR.
then i did a second thorough scan, with archive scanning included, after entering windows. it didn't find anything more.

so this took care of the unrequested popups.

second problem: it takes forever since then to access the internet with firefox. i don't like iexplorer and i don't want to use it, i like firefox and i want to keep using it. but it takes a very long time to go online and also to browse pages once the browser is open. the main processes that strain the system are svchost.exe which seems to be running in separate locations for SYSTEM and NETWORK (i'm in a network so maybe that's ok but i'm not sure. avast is only installed on my computer, i don't know what the others have.) the processor hits 100% usage all the time and it's not really healthy for it.

reading through this thread i noticed that some users have disabled the archive scanning after doing the safe-mode scans so i've disabled it too to see if it makes any difference. so far i've seen none.

so what i wonder is this...

1. does the latest update make this happen? overusing the processor and slowing down my system??
it's getting annoying when even google won't show because of the long delays that cut the connection.

2. is it possible that by uninstalling the "positive" infected avast files i actually allowed a virus to spread and infect my computer? does re-installing and scanning in safe-mode provide a safety belt for this?

3. is it possible that a virus database used as an update was corrupted and made my AV go crazy on me?!

4. which online scan could i use to make sure the system IS clean and not giving me false good reads? i don't want to stop avast for an online scan by another AV, are there some good enough that wouldn't require stopping the running AV?

5. is it really the fact that avast was updated to fit with better, newer systems that's making it incompatible with my older and slower system?

sorry for all the questions. i am just getting really freaked out here.


to which, i got this reply:
HI  EGR

different problem here so best not to Reply to this but to start a new post in the virus and worms forum (below)

start by going to malwarebytes and running their on line ROGUE REMOVER and THEN
their FREE ANTI MALWARE  update and run a full scan

post the log in your new post/ thread
Are you using Windows XP/Vista?
Scheduling the Boot Time Scan

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files (suggestion: send to Chest)
Choose how to automatically process infected system files (suggestion: ignore/do nothing)
Click the Schedule button to confirm the settings.


thank you for the reply, btw~

the OS is a windows XP unlicensed (yes i know. i can't find it to buy it at a reasonable price in my country, after the vista explosion. i do NOT want vista.)

so i did as advised above and used rogueremover (didn't find any rogues) then installed and run a quick scan of the system with malwarebytes' anti malware program. it found about 290 results of which there are some trojans and some adware.

avast didn't tell me anything about these at any scans.

a lot of the trojans and other things mbam found in my system are located in the registry keys. if i delete them, will that kill my system? or those keys are only opened and used by the viruses?

please tell me if deleting them all might kill my OS :(
i am attaching the mbam scanlog. if anyone could help me, i would be grateful!!

i am tempted to just go ahead and delete them anyway... but i am scared of getting a system crash and i don't have a boot disc...

HELP!

EDIT: the log is in romanian, anyway, what it says is that there were no dangerous infections found but there are those registry keys and files/folders infected with trojans and with adware.
« Last Edit: August 14, 2008, 08:36:21 PM by egr »

wyrmrider

  • Guest
Re: malware contamination, help!
« Reply #1 on: August 14, 2008, 11:09:18 PM »
mbam should have a quarantine function
do not delete
now you see why you run both RR and MBAM :)
can you post the MBAM log with a google translate or perhaps some of the Avast folk speak Romanian
there may be other things
can you try a DR Web Cure it scan?

wyrmrider

  • Guest
Re: malware contamination, help!
« Reply #2 on: August 14, 2008, 11:36:24 PM »
I have some additional time to reply to your first post
First there are several baddies with power in their name
PowerAntivirus
PowerAntivirus 2009
Powerscan antivirus
you can see descriptions here
http://www.2-viruses.com/remove-adwarepowerscan
go to the bar on the right to see two other Powerantivirus descriptions
any idea which one you have?
Any will slow your system including firefox
glad your boot time avast scan was almost virus free- an active virus makes removing malware even tougher
Do an on line AV scan soon

your system should be perfect for avast

Any MBAM experts out there that can answer poster's question

egr

  • Guest
Re: malware contamination, help!
« Reply #3 on: August 14, 2008, 11:50:36 PM »
thank you, wyrmrider...

i did a thorough scan of c: only (there are no programs installed on my second partition, i use it for storage of media files and the like), and it came up completely clean. no registry keys heads-up or anything.

so i ran yet another quick scan and lo! there are all the same infections. with the mention of, it said "scanning for active infections" and found none, then moved on to "scanning for infected registry keys" and found all these bugs.

aren't all system files supposed to be where the OS is installed?! why do separate scans not find the same results?!

egr

  • Guest
Re: malware contamination, help!
« Reply #4 on: August 14, 2008, 11:53:34 PM »
(i took a look at the 2-viruses site. it might've been the powerscan adware. but there's no trace of it in the mbam scan, it detects instead a lot of adware.enrgyPlus or something, and also a lot of vundos.)

what if i place the files with viruses in the avast chest, will that be good enough to stop them from slowing down my system?...

i wanted to attach two screenprints of the scans, for comparison and my link died on me. it reached 14 kbs up then went dead - i should have a 7.3 mbs connection. :(

egr

  • Guest
Re: malware contamination, help!
« Reply #5 on: August 15, 2008, 12:09:38 AM »
ok, moved all files mbam said were carrying vundo to the avast chest. will let you all know if it made a difference to the system's performance.

so what exactly would happen if i deleted all registry keys with the adware.enrgy.Plus in them? there are a lot of them... :(

EDIT: added the translated scan results from mbam. it's a google translation that i looked over to make sure it says the same things it says in ro. - now if i didn't get the tech terms right please forgive me.

(btw, since "exiling" the files the system works a tad faster, though the online browsing hasn't shown any improvement.)
« Last Edit: August 15, 2008, 12:37:02 AM by egr »

wyrmrider

  • Guest
Re: malware contamination, help!
« Reply #6 on: August 15, 2008, 01:13:30 AM »
MBAM
In the report there are boxes which are checked and you can right click on the entrie and select Quarantine, etc. so let MBAM deal with all


Superantispyware and Windows defender are reputed to get adware energy plus and should do all of that work for you
Vundo is more difficult  SuperAntispy and Windows Defender will help depending on the version

perhaps someone running XP can take a look at this
there is also
Vundofix  --for example
http://www.bleepingcomputer.com/forums/topic18610.html
get the latest version HERE
http://www.atribune.org/index.php?option=com_content&task=view&id=38&Itemid=2
but let's run a couple of general purpose removers first just in case there is something even nastier lurking

adware-hotbar should be removed automatically or see (for example)
http://www.raymond.cc/blog/archives/2006/06/10/remove-hotbar-adware-spyware-removal-instructions/
« Last Edit: August 15, 2008, 01:25:01 AM by wyrmrider »

egr

  • Guest
Re: malware contamination, help!
« Reply #7 on: August 15, 2008, 01:22:43 AM »
are these compatible with avast? will avast stop them from working as they should?

if i get and install them, will they have to remain in my system? too many antispyware and antiadware and anti whatever make me anxious already, since they could all be in conflict with each other and detect each other as threats :(

wyrmrider

  • Guest
Re: malware contamination, help!
« Reply #8 on: August 15, 2008, 01:36:43 AM »
we are only talking about on demand scanners here
nothing that runs every time you start up
so in effect they are only taking up disc space
paid versions of some of these programs do have real time monitoring

they will not conflict with avast
-note to self- check on windows defender

any comments from others?
did you move all of those entries by hand?

egr

  • Guest
Re: malware contamination, help!
« Reply #9 on: August 15, 2008, 01:43:23 AM »
no comments from others, thank you for your help.

i selected the infected files through the "user files - add" option in the avast virus chest.

i browsed the atribune forum (for info on vundofix) and there's a lot of tech there i don't understand - it looks to me they're dealing with each separate pc problem and not making a general fix.

i can't get the vundofix, unless it's a 117 kb file (somehow i doubt it's so small). is it that small? i am not sure if it should be run if it might be corrupted.

egr

  • Guest
Re: malware contamination, help!
« Reply #10 on: August 15, 2008, 02:05:29 AM »
this post on atribute has the EXACT infected files i have on my computer. but i didn't get to quarantine and delete.
http://www.atribune.org/forums/index.php?s=&showtopic=4748&view=findpost&p=25868
someone who knows how this works, please tell me - deleting the reg keys will KILL my OS or NOT?

*3 AM, really tired, sorry*

egr

  • Guest
Re: malware contamination, help!
« Reply #11 on: August 15, 2008, 02:26:55 AM »
quarantined and deleted the files. they're not deleted from my computer, YET, since i have no idea how this will affect it.

i ran a speedtest after... download has increased to 3.6 MBS (edit: retested: 6.2 MB, which is good :)) from 250 kbs previously, but i seem not to be able to upload anything measurable. :(

what can this be?? firewall and antivirus settings aren't blocking any site i recognize.

i've also scanned for another possible malware and updated the mbam database. no malware found :)
« Last Edit: August 15, 2008, 02:28:51 AM by egr »

wyrmrider

  • Guest
Re: malware contamination, help!
« Reply #12 on: August 15, 2008, 02:34:16 AM »
HI
Do this when you are fresh
first do the regular anti-spyware and AV apps
quarantine do not remove any hits
that should get rid of most of the bad stuff without you needing to worry about your os


is this where you tried to get the fix
http://vundofix.atribune.org/
it is NOT a big file

If running MBAM and Super-antispyware do not get the Vundo
and Vundofix does not get it on the first pass
I'd consider going to the Atribune site
http://www.atribune.org/forums/index.php?s=e54a45a6e4ee4b2a75db49ed58b2b444&showforum=9
 and reading all the stickies and posting what ever they want there with a link to this post
They are the experts on this particular infection
stay cool- you can get this
Get some sleep

if you do go to a specialist malware removal site follow instructions exactly
ask questions
but do not do any fixes unless asked for
glad your internet is better- you are going to need it
« Last Edit: August 15, 2008, 02:42:45 AM by wyrmrider »

egr

  • Guest
Re: malware contamination, help!
« Reply #13 on: August 15, 2008, 02:44:28 AM »
thank you :)

well, it seems that the very restricted upload (got a 28 kbs on upload, as compared to 5.5 mbs steady download) it's something with the network firewalls and settings. and i am not the admin so i guess i should stay cool indeed and wait for him to get his head around it.

i will try vundofix just to check out if mbam left something behind.

i am thinking my network server and other computer may have gotten the same virus - i tend to care for my AV to be updated and running well, but not all my colleagues do.

thank you again for all your help, i'll post here if anything else goes well/bad :)

*off to bed*

wyrmrider

  • Guest
Re: malware contamination, help!
« Reply #14 on: August 15, 2008, 03:11:20 AM »
nite nite
Is it dawn yet?
FYI VUNDOFIX is about 115-118 kb

you may have 4 different things so let's get em all