My mom's computer is infected. Help please?

[wyrmrider]

NORTON MCAFEE AND AVG  lucky her computer could connect or ran at all !
Thanks DavidR you beat me to it !!!

Really glad you got MBAM to work
You can always try the MCAfee tool (s) in safe mode
Do Run the AVG tool that DavidR linked to
Do run the Antivir registry cleaner and let me know what it finds that the removal tools missed

After you get her back up
CCleaner
Defrag
New Restore Point

I'd suggest Spyware Blaster by Javacool
a Hosts file
and either Windows Defender or SpywareTerminator (without the toolbar for some free real time protection for mom

[ahullsb]

Thank you for the link. I am trying it now. I was using pchell's site and used the mcafee tool they listed there. It seems to have locked or frozen on the system and claims to be running...indefinitely. But PCHell also said there was no AVG removal tool, so go figure. I am running avg's now. So hopefully the only one left to remove is McAfee.

[ahullsb]

NORTON MCAFEE AND AVG  lucky her computer could connect or ran at all !
Thanks DavidR you beat me to it !!!

Really glad you got MBAM to work
You can always try the MCAfee tool (s) in safe mode
Do Run the AVG tool that DavidR linked to
Do run the Antivir registry cleaner and let me know what it finds that the removal tools missed

After you get her back up
CCleaner
Defrag
New Restore Point

Sorry I posted before I saw this. I did run the AVG tool. By McAfee tool in safe mode you mean to boot the computer in safe mode? I have not ran the antivirus reg cleaner yet but I will do it now. I was hoping the Mcafee removal tool was going to work first

I'd suggest Spyware Blaster by Javacool
a Hosts file
and either Windows Defender or SpywareTerminator (without the toolbar for some free real time protection for mom

[ahullsb]

Is the antivir reg cleaner for avira? As far as I know she never ran that. Is that why I am running the removal tool or will it fix the rest of my registry problems? And sorry about my above post. THe question is in there somewhere...

[DavidR]

It also looks for other AVs registry entries.

[wyrmrider]

The MAjor Geeks piece was written before AVG tool released in July this year
David is correct about the Antivir tool- it's safer than a general registry cleaner and is tweeked for AV
AS David says ther are several McAFee tools

[ahullsb]

Okay I just ran the program and followed the steps. About 10 items appeared and I checked all and tried to delete/remove them but got an red x error in German... I have no idea what it said but it wouldn't do anything.

[wyrmrider]

no idea without going to the Antivir forum  -not a bad idea with 10 of them
maybe they will be removed upon reboot or something like that
do save the locations and you can go in and remove them by hand
10- who'd a thought   whose entries were there (in other words whose tool does not work)

you might go to the MCAFEE site and see if there are other tools there

Add to the to do list
run Secunia softwrare inspector and update all of mom's apps
then run ccleaner again
then do the defrag and a new restore point

other people are asking about that Vista administrator question- did you get an answer yet?

After you get Avast installed, updated and a scan post back and we can talk prevention

you did re-run MBAM quick scan and REMOVED what it found- did I miss that?- not to worry- it will make a backup

when you are all done you could read the stickie about Hijack This and post a scan
DO NOT FIX ANYTHING
we might get some of those old AV entries that way

[ahullsb]

These seem valid detections and the only recent ones 21/8/2008, but the main thing is what action did your Mom choose on the detection, Move to chest, Delete, etc. ?

We selected "move to chest on all of them." Are they considered okay or "qt" in the vault or do we need to perform additional steps?

Also what log should I post to determine whether there are leftover remnants of old AV programs? I tried all the removal tools, some worked, some did not. I am a little wary of making manual changes to the registry since I am a novice user. Should I not be as concerned about that as I am?

Once I know her old programs are gone I am ready to uninstall/ reinstall avast, along with the rest of her spyware/malware programs. Thanks in advance!

[ahullsb]

I tried using the antivir removal tool and got that message in German. Here is the reply I got from Avira's support forum:

Hello,

The Avira Registry cleaner isn't used for this purpose, it's to correct uninstallation problems. The message you got was "Error when deleting one or more keys".

AntiVir Personal - Free doesn't have spyware protection, so in this case I suggest running a dedicated AntiSpyware product such as SuperAntiSpyware or Malware Bytes AntiMalware (both freeware).

Cheers,

Steve

[ahullsb]

Upon further inspection I noticed that the only entries that the Antvir reg cleaner found were Avast entries, which is currently installed on the machine. Can anyone advise me on how to proceed? I suppose I need to know for sure whether the old AV's are gone, uninstall and reinstall Avast, and then an array of anti spyware/malware programs correct?

[wyrmrider]

I would think that if the only entries were avast entires and there were no others then you are good to go

so let's recap

Did you update avast and run a boot time scan- anything to send to chest?
anything currently in the chest (not counting 3 system backup files?)
what are they? can you post a log?
leave them in the chest for now

back on track

Add to the to do list
run Secunia softwrare inspector and update all of mom's apps
then run ccleaner again
then do the defrag and a new restore point

other people are asking about that Vista administrator question- did you get an answer yet?

After you get Avast installed, updated and a scan post back and we can talk prevention

you did re-run MBAM quick scan and REMOVED what it found- did I miss that?- not to worry- it will make a backup

when you are all done you could read the stickie about Hijack This and post a scan
DO NOT FIX ANYTHING
we might get some of those old AV entries that way

[ahullsb]

Okay. Nothing showed up this time in the boot scan. When we ran avast it seemed to pick up a lot of things. Here is the warning log. It also left a window open showing 700 lines that could not be scanned. They are supposed to be archived files that are password protected. Is this normal? I know my mom would not intentionally password protect anything. I'm not sure what archived files are actually.

8/25/2008 8:45:11 PM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Application Data\AOL Downloads\ccu_suite\4.3.38.1\ccu_suite_4.3.38.1\ecuinst.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/25/2008 9:06:28 PM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4172\ecuinst.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 12:14:43 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4227\comps\acs\ecuinst.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 12:15:33 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\All Users\Application Data\AOL Downloads\waol\0.4334.34.1\comps\acs\ecuinst.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 12:50:43 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1009\A0235832.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 12:59:13 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1053\A0248685.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 1:04:53 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1078\A0258348.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 1:07:29 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1082\A0258783.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 1:07:56 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP158\A0032797.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 1:07:58 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP158\A0032798.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 1:08:03 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP158\A0032799.exe\$R1\$PLUGINSDIR\utility.dll" file. 
8/26/2008 1:08:07 AM   Vicki Hull   3496   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP158\A0032800.exe\$R1\$PLUGINSDIR\utility.dll" file. 

[DavidR]

See http://forum.avast.com/index.php?topic=35347.msg297170#msg297170 this topic for more information on why files can't be scanned.

From your log:
I suspect this may be a false positive on the utility.dll file, which is inside this file "C:\Documents and Settings\All Users\Application Data\AOL Downloads\ccu_suite\4.3.38.1\ccu_suite_4.3.38.1\ecuinst.exe"

Don't worry about those in the C:\System Volume Information\_restore points, for the time being, these have previously been removed from system folders and system restore has saved them in a restore point.

"C:\Documents and Settings\All Users\Application Data\AOL Downloads\ccu_suite\4.3.38.1\ccu_suite_4.3.38.1\ecuinst.exe"

Check the offending/suspect file above, at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

What is this CCU_Suite from AOHell that is causing this issue ?
When I see or hear Suite I think security and that means anti-virus, etc. which could mean virus signature files which could be detected by other AVs.

[ahullsb]

This is what it came up with. Is this what you were looking for?

Antivirus     Version     Last Update     Result
AhnLab-V3   2008.8.21.0   2008.08.26   -
AntiVir   7.8.1.23   2008.08.26   -
Authentium   5.1.0.4   2008.08.26   -
Avast   4.8.1195.0   2008.08.26   -
AVG   8.0.0.161   2008.08.26   -
BitDefender   7.2   2008.08.26   -
CAT-QuickHeal   9.50   2008.08.26   -
ClamAV   0.93.1   2008.08.26   -
DrWeb   4.44.0.09170   2008.08.26   -
eSafe   7.0.17.0   2008.08.26   -
eTrust-Vet   31.6.6050   2008.08.26   -
Ewido   4.0   2008.08.26   -
F-Prot   4.4.4.56   2008.08.26   -
F-Secure   7.60.13501.0   2008.08.26   -
Fortinet   3.14.0.0   2008.08.26   -
GData   19   2008.08.27   -
Ikarus   T3.1.1.34.0   2008.08.26   -
K7AntiVirus   7.10.428   2008.08.25   -
Kaspersky   7.0.0.125   2008.08.27   -
McAfee   5370   2008.08.26   -
Microsoft   1.3807   2008.08.25   -
NOD32v2   3390   2008.08.26   -
Norman   5.80.02   2008.08.26   -
Panda   9.0.0.4   2008.08.26   -
PCTools   4.4.2.0   2008.08.26   -
Prevx1   V2   2008.08.27   -
Rising   20.59.11.00   2008.08.26   -
Sophos   4.32.0   2008.08.26   -
Sunbelt   3.1.1582.1   2008.08.26   -
Symantec   10   2008.08.27   -
TheHacker   6.3.0.6.060   2008.08.23   -
TrendMicro   8.700.0.1004   2008.08.26   -
ViRobot   2008.8.26.1350   2008.08.26   -
VirusBuster   4.5.11.0   2008.08.26   -
Webwasher-Gateway   6.6.2   2008.08.26   -
Additional information
File size: 260040 bytes
MD5...: 05302706faf24ca3ca8d7dbb492da107
SHA1..: 1105c3d6153a6cb126df4889a73279039d7ba1bb
SHA256: 7f0ba876bd18196e3c8e97cf4650d77cfc4e59327df33368a768bb45d3bb4701
SHA512: 0abcdebfa9a554c86c3a0782701cdcca87f7544ffbf91d54cc04c43e1a3b3794
00acb5cf55588c98140b900bf50614a75761b82042fa54cdc795b44b64266876
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403aea
timedatestamp.....: 0x42836681 (Thu May 12 14:21:53 2005)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x648a 0x6600 6.40 95a08a351a308601606d05c5e0caf3be
.rdata 0x8000 0x1c72 0x1e00 5.27 ad3480bbd2b89b35a1007f68da4f66ed
.data 0xa000 0x1c494 0x200 1.29 ac97ebca38d2d8318dca1994bee4b5de
.ndata 0x27000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x32000 0x1000 0xa00 3.12 dce22a93b82b0940b758a282e4a50021

( 8 imports )
> COMCTL32.dll: -, ImageList_AddMasked, ImageList_Destroy, ImageList_Create
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
> KERNEL32.dll: FormatMessageA, GetLastError, GetModuleHandleA, SetErrorMode, GetExitCodeProcess, WaitForSingleObject, ExpandEnvironmentStringsA, GetEnvironmentVariableA, lstrcmpiA, CloseHandle, SetFileTime, GetFileAttributesA, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, lstrcatA, SetCurrentDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, LoadLibraryA, CreateDirectoryA, ExitProcess, GetCurrentProcess, CopyFileA, lstrcpynA, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, GetUserDefaultLangID, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, GlobalAlloc, CreateThread, CreateProcessA, GetTempFileNameA, lstrcpyA, lstrlenA, SetEndOfFile, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetSystemDirectoryA, RemoveDirectoryA, MulDiv, DeleteFileA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GlobalFree, GetPrivateProfileStringA, WriteFile, ReadFile, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, GetModuleFileNameA
> USER32.dll: PostQuitMessage, SetWindowTextA, SetTimer, DestroyWindow, CreateDialogParamA, ExitWindowsEx, CharNextA, GetSysColor, GetWindowLongA, LoadCursorA, SetCursor, CheckDlgButton, GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcA, IsWindowVisible, LoadBitmapA, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuA, CreatePopupMenu, GetSystemMetrics, EndDialog, SetClassLongA, IsWindowEnabled, SetWindowPos, DialogBoxParamA, GetClassInfoA, CreateWindowExA, SystemParametersInfoA, RegisterClassA, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, wvsprintfA, SetForegroundWindow, ShowWindow, CharPrevA, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, PeekMessageA, DispatchMessageA, InvalidateRect, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SendMessageA
> GDI32.dll: GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SetBkColor, SelectObject
> ADVAPI32.dll: RegDeleteKeyA, RegEnumKeyA, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegCloseKey
> SHELL32.dll: ShellExecuteA, SHBrowseForFolderA, SHGetMalloc, SHGetSpecialFolderLocation, SHFileOperationA, SHGetPathFromIDListA
> ole32.dll: OleUninitialize, OleInitialize, CoCreateInstance

( 0 exports )