Author Topic: Are Viruses Gone?  (Read 11782 times)

0 Members and 1 Guest are viewing this topic.

Feef

  • Guest
Are Viruses Gone?
« on: January 04, 2009, 10:48:02 PM »
Hi, yesterday I received prompts from Avast that I had a virus and followed the steps to remove them.  I would really appreciate some help finding out if they are actually gone.  I do all of my banking online and need to know if it is still safe :-[.

My comp had the following viruses detected by Avast and Super AntiSpyware

AVAST
Win:32 Trojen-gen
JS:Agent-CK[trj]
Win:32 Seneka [Rtk]

SUPER antispyware
Unclassified.Unknown Origin
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
   HKU\S-1-5-21-986597417-954150252-1559167742-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Rootkit.Agent/Gen-SENEKA
   HKLM\system\controlset001\services\seneka
   C:\WINDOWS\SYSTEM32\DRIVERS\SENEKADUYBWWXV.SYS
   HKLM\system\controlset002\services\seneka

Rogue.AntiSpywareMaster
   HKU\S-1-5-21-986597417-954150252-1559167742-1006\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}

Rogue.VirusRemover2008
   HKLM\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}
   HKU\S-1-5-21-986597417-954150252-1559167742-1006\Software\VirusRemover2008
   HKLM\Software\VirusRemover2008
Trojan.Dropper/Win-NV
   C:\WINDOWS\SYSTEM32\DRIVERS\SENEKA.SYS

numberous cookies were also deleted.

I looked for similar problems in the forum and installed hijackthis as often recommended.  The reports generated are attached.

Thanks a lot for any help you can give me,

Felica



Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Are Viruses Gone?
« Reply #1 on: January 04, 2009, 11:00:28 PM »
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Disable System Restore and then reenable it again.
6. Immunize your system with SpywareBlaster.
7. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33866
  • malware fighter
Re: Are Viruses Gone?
« Reply #2 on: January 04, 2009, 11:11:08 PM »
Hi Feef,

I would like to fix this using HJT: O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n020p/EN/install/gtdownlr.cab

polonus

P.S. Internet Explorer is considered a security hole by many computer security experts. Suggestions are to move to Firefox or another non-Internet Explorer browser. Internet Explorer cannot be safely uninstalled due to the tight integration with Windows internals, and requirements from various applications.

D.
« Last Edit: January 04, 2009, 11:15:43 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Feef

  • Guest
Re: Are Viruses Gone?
« Reply #3 on: January 05, 2009, 01:16:28 AM »
Thanks for the replies,

Polonus , I am not sure how I am supposed to fix it.  Can you please clarify?

Also, I will switch to Firefox, thanks for the suggestion.

Feef

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: Are Viruses Gone?
« Reply #4 on: January 05, 2009, 02:09:52 AM »
Close all browsers, run HJT again, find the relevant entry and tick the box to the left of it. Click the Fix checked button at the bottom of the window.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Feef

  • Guest
Re: Are Viruses Gone?
« Reply #5 on: January 05, 2009, 05:48:26 AM »
Hi,

It took me a while but I realise now what HJT is.  I followed Tech's advice and downloaded DrWeb CureIT and ran the program.  They found one suspicious file and I think it is the one that Polonus was trying to fix.  O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n020p/EN/install/gtdownlr.cab does not appear when I run HJT anymore so I cannot fix it.

-Did I move something that I wasn't supposed to?  Can I take it out of quarantine there is a file that looks similar sitting in the DrWeb CureIT quarantine (gtdownlr_126.ocx)?

My computer is running a lot faster now, just want to feel safe.

Thanks,
Feef



Spiritsongs

  • Guest
Re: Are Viruses Gone?
« Reply #6 on: January 05, 2009, 07:48:36 AM »
 :)  Hi :

 From your "Log", you appear to have the malware-prone Adobe Reader on
 your computer !? IF true, I recommend you read the info at http://forum.avast.com/index.php?topic=38839.0 . There are safer
 Alternatives, such as the FREE "Foxit Reader" or "Cute PDF" .

 In addition, you have the unnecessary "Bonjour\mDNSResponder" and should
 consider the Info at www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/  and seriously consider
 uninstalling it by using the "Removal Instructions" there .

Feef

  • Guest
Re: Are Viruses Gone?
« Reply #7 on: January 06, 2009, 03:33:34 AM »
Hi,

Thanks for the advice.   I replaced Adobe Reader with Foxit, it's very fast.

Just a few unresolved issues:

-Was my moving that file instead of fixing it as polonus recommended a problem?
-I see the Bonjour program in my control panal add/remove, is it not ok to uninstall from there?
-I guess there were no other problems with my log?  As far as you can see am I free to do business as usual on the net?

Thanks again for all the help,


Feef

Feef

  • Guest
Re: Are Viruses Gone?
« Reply #8 on: January 06, 2009, 07:37:39 AM »
Hi I have another problem, well I think I do.

Is this normal?

This task below is set up in Scheduled Tasks and it is set to run  'every hour from 12:00 AM for 24 hours everyday, starting 01/01/07'

"nztuezjh.job" (rundll32.exe)
   Started 06/01/2009 1:00:00 AM
[ ***** Most recent entry is above this line ***** ]

I have never seen this before (not that I check the tasks regularly) and on the log it first appears on Jan3rd-2008.

I have 'Stopped Using Task Scheduler', please advise if it is OK to restart.

Sorry if it is nothing, I am just really suspicious of everything right now.

Thanks,
Feef

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: Are Viruses Gone?
« Reply #9 on: January 06, 2009, 03:17:39 PM »
It should be OK to uninstall the Bonjour program in my control panel add remove programs. The only proviso would be if it is required by Apple spit, iTunes, etc. as that is I believe a common culprit for installing it, that you would have to check to ensure it wouldn't break any functionality.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: Are Viruses Gone?
« Reply #10 on: January 06, 2009, 03:40:22 PM »
Hi I have another problem, well I think I do.

Is this normal?
This task below is set up in Scheduled Tasks and it is set to run  'every hour from 12:00 AM for 24 hours everyday, starting 01/01/07'
"nztuezjh.job" (rundll32.exe)
   Started 06/01/2009 1:00:00 AM
[ ***** Most recent entry is above this line ***** ]
I have never seen this before (not that I check the tasks regularly) and on the log it first appears on Jan3rd-2008.

I have 'Stopped Using Task Scheduler', please advise if it is OK to restart.
<snip>

I would say it is most certainly not normal. As you say it is associated with the Task Scheduler and if you didn't create this Job then it is highly suspect. The lack of a meaningful name for a task is also suspect.

http://www.liutilities.com/products/winbackup/filextlibrary/files/JOB/
Quote
Appropriate program:

JOB is a file extension associated with Windows Task Scheduler Task Object.

You could open the Task Scheduler and check what this nztuezjh.job actually does, it might point to run some other files to try an compromise your system. If you are able to see what it is trying to do post that here and disable the task. Notice I don't say delete the task, just in case, we need to confirm what it is doing.

If it mentions running a specific file, check to see if that file exists in the location (you might need to use search to find it). If it exists, right click on it and select Scan selected areas, also check it out at virustotal, see below.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Spiritsongs

  • Guest
Removing Bonjour/mDNSResponder
« Reply #11 on: January 06, 2009, 07:53:45 PM »
 :) Hi :

 Would NOT use "Add or Remove Programs" to "uninstall" Bonjour/
 mDNSResponder , but the SPECIFIC "Instructions" on the Raymond Site :

 "1. Go to Start > Run > type the command below and hit OK.



“%PROGRAMFILES%\Bonjour\mDNSResponder.exe” -remove


2. Navigate to C:\Program Files\Bonjour
3. Rename the mdnsNSP.dll file in that folder to mdnsNSP.old
4. Restart your computer
5. Delete the Program Files\Bonjour folder

The first command will stop and remove Bonjour Service from your computer. To confirm, go to Start > Run and type services.msc. Look for Bonjour Service name. If it’s not there, you’ve successfully removed it. "

 You also MAY want to consider the Info in the "Update" on the Raymond Site
 that recommends a wizard tool available at
 www.serophos.net/au-revoir-bonjour  !?


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: Are Viruses Gone?
« Reply #12 on: January 06, 2009, 08:02:09 PM »
Is there a problem with the uninstall or is it just that we shouldn't trust what is considered by many to be adware/spyware to clean house ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33866
  • malware fighter
Re: Are Viruses Gone?
« Reply #13 on: January 06, 2009, 08:26:45 PM »
Hi DavidR & Feef,

f you’ve installed software by Apple such as iTunes, software by Adobe such as Premiere Pro, Photoshop CS2, Dreamweaver CS3 the chances are there’s already a Bonjour folder in your Program Files. This service starts automatically and runs a process named mDNSResponder.exe which cannot be ended by Windows Task Manager. If you do not want Bonjour to be in your computer and want to uninstall it, sometimes you can’t find any uninstaller for it! Even if you go to Control Panel’s Add or Remove Program, you can’t find the uninstaller there as well.

Here’s how to safely uninstall and remove the Bonjour service and files (mDNSResponder.exe and mdnsNSP.dll). Just follow the few simple steps below to remove Bonjour from your computer.

NOTE: Make sure you have administrator privileges before executing these commands. You might have to delete the quotes and input them manually, because the forum is outputting them as smart quotes.

   1. Go to [Start > Run] and type the following command and hit OK.
          * “%PROGRAMFILES%\Bonjour\mDNSResponder.exe” -remove
   2. Go to [Start > Run] again and type the following command and hit OK.
          * regsvr32 /u “%PROGRAMFILES%\Bonjour\mdnsNSP.dll”

After you restart, you can safely delete the Bonjour folder without errors.

To know if you have actually uninstalled Bonjour. Open services.msc and see if there is a service similar to: “##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##”. If it is not there, then it has been uninstalled. But the folder and files remain in the program files folder. Just in case you want to install it again.

If you encountered problems after uninstalling or removing Bonjour, you can download and reinstall Bonjour. If you have any problems, let us know,

polonus

« Last Edit: January 06, 2009, 08:28:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Feef

  • Guest
Re: Are Viruses Gone?
« Reply #14 on: January 07, 2009, 04:56:55 AM »
Thanks for clarifying, I will try to uninstall Bonjour again manually on the weekend since it doesn't seem dangerous.  I did try to follow the instructions from the link that Spiritsongs provided but stopped after a few attempts at following the directions (the virus was more of a concern), it wouldn't recognized the command. 


I double clicked on the task scheduler and the program is set to run .exe "C:\WINDOWS\system32\urqPgDUm.dll",ShellPath.  I tried to search for the folder but could not locate it to do a scan.  I did a 'search' and also I looked directly in System32 folder.

I couldn't find any trace of an application or file with the name nztuezjh
other than the .job file sitting in my task scheduler.

I should also mention scheduler says that the last result was 0X103 and that the creator was me. What does that mean 0X103?  My other tasks are 0X0 (maybe something to do with me stoping it?)

The task scheduler restarted when I turned my computer on, is that ok?  I amended the task to run every 999 days for now.


How do I fix this?  Does it even require fixing?